Commit 6293fe98 authored by Kamil Dudka's avatar Kamil Dudka
Browse files

- Changed NSS code to not ignore the value of ssl.verifyhost and produce more 

  verbose error messages. Originally reported at:
  https://bugzilla.redhat.com/show_bug.cgi?id=516056
parent 5c716247

CHANGES

+5 −0
Original line number Diff line number Diff line
@@ -6,6 +6,11 @@ 


                                  Changelog



Kamil Dudka (13 Aug 2009)

- Changed NSS code to not ignore the value of ssl.verifyhost and produce more

  verbose error messages. Originally reported at:

  https://bugzilla.redhat.com/show_bug.cgi?id=516056



Daniel Stenberg (12 Aug 2009)

- Karl Moerder fixed the Makefile.vc* makefiles to include the new file

  nonblock.c so that they work fine again

lib/nss.c

+19 −4
Original line number Diff line number Diff line
@@ -615,16 +615,26 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock) 
          issuer);

    break;

  case SSL_ERROR_BAD_CERT_DOMAIN:

    if(conn->data->set.ssl.verifypeer)

    if(conn->data->set.ssl.verifyhost) {

      failf(conn->data, "common name '%s' does not match '%s'",

            subject, conn->host.dispname);

      success = SECFailure;

    infof(conn->data, "common name: %s (does not match '%s')\n",

    } else {

      infof(conn->data, "warning: common name '%s' does not match '%s'\n",

            subject, conn->host.dispname);

    }

    break;

  case SEC_ERROR_EXPIRED_CERTIFICATE:

    if(conn->data->set.ssl.verifypeer)

      success = SECFailure;

    infof(conn->data, "Remote Certificate has expired.\n");

    break;

  case SEC_ERROR_UNKNOWN_ISSUER:

    if(conn->data->set.ssl.verifypeer)

      success = SECFailure;

    infof(conn->data, "Peer's certificate issuer is not recognized: '%s'\n",

          issuer);

    break;

  default:

    if(conn->data->set.ssl.verifypeer)

      success = SECFailure;
@@ -1067,6 +1077,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) 
    }

  }



  if(data->set.ssl.verifyhost == 1)

    infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n");



  data->set.ssl.certverifyresult=0; /* not checked yet */

  if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn)

     != SECSuccess) {
@@ -1200,7 +1213,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) 
  if(SSL_ForceHandshakeWithTimeout(connssl->handle,

                                    PR_SecondsToInterval(HANDSHAKE_TIMEOUT))

      != SECSuccess) {

    if(conn->data->set.ssl.certverifyresult!=0)

    if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)

      curlerr = CURLE_PEER_FAILED_VERIFICATION;

    else if(conn->data->set.ssl.certverifyresult!=0)

      curlerr = CURLE_SSL_CACERT;

    goto error;

  }