Unverified Commit 2536e245 authored by Gaurav Malhotra's avatar Gaurav Malhotra Committed by Daniel Stenberg
Browse files

Revert "openssl: Don't add verify locations when verifypeer==0" 

This reverts commit dc854377.

libcurl (with the OpenSSL backend) performs server certificate verification
even if verifypeer == 0 and the verification result is available using
CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the
CURLINFO_SSL_VERIFYRESULT to not have useful information for the
verifypeer == 0 use case (it would always have
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY).

Closes #2451
parent 336b6a32

lib/vtls/openssl.c

+16 −15
Original line number Diff line number Diff line
@@ -2349,11 +2349,10 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) 
#endif



  if(ssl_cafile || ssl_capath) {

    if(verifypeer) {

    /* tell SSL where to find CA certificates that are used to verify

       the servers certificate. */

      if(!SSL_CTX_load_verify_locations(BACKEND->ctx,

                                        ssl_cafile, ssl_capath)) {

    if(!SSL_CTX_load_verify_locations(BACKEND->ctx, ssl_cafile, ssl_capath)) {

      if(verifypeer) {

        /* Fail if we insist on successfully verifying the server. */

        failf(data, "error setting certificate verify locations:\n"

              "  CAfile: %s\n  CApath: %s",
@@ -2361,19 +2360,21 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) 
              ssl_capath ? ssl_capath : "none");

        return CURLE_SSL_CACERT_BADFILE;

      }

      /* Just continue with a warning if no strict  certificate verification

         is required. */

      infof(data, "error setting certificate verify locations,"

            " continuing anyway:\n");

    }

    else {

      /* Everything is fine. */

        infof(data, "successfully set certificate verify locations:\n"

              "  CAfile: %s\n  CApath: %s\n",

      infof(data, "successfully set certificate verify locations:\n");

    }

    infof(data,

          "  CAfile: %s\n"

          "  CApath: %s\n",

          ssl_cafile ? ssl_cafile : "none",

          ssl_capath ? ssl_capath : "none");

  }

    }

    else {

      infof(data, "ignoring certificate verify locations due to "

            "disabled peer verification\n");

    }

  }

#ifdef CURL_CA_FALLBACK

  else if(verifypeer) {

    /* verfying the peer without any CA certificates won't