Made libcurl built with NSS possible to ignore the peer verification.

Previously it would fail if the ca bundle wasn't present, even if the code ignored the verification results.

Made libcurl built with NSS possible to ignore the peer verification.
Previously it would fail if the ca bundle wasn't present, even if the code ignored the verification results.
6a17cae4 · Daniel Stenberg · 1eac702c · 6a17cae4 · 6a17cae4 · 6a17cae4
Commit 6a17cae4 authored 17 years ago by Daniel Stenberg
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,11 @@

                                  Changelog

+Daniel S (25 October 2007)
+- Made libcurl built with NSS possible to ignore the peer verification.
+  Previously it would fail if the ca bundle wasn't present, even if the code
+  ignored the verification results.
+
 Patrick M (25 October 2007)
 - Fixed test server to allow null bytes in binary posts.
 _ Added tests 35, 544 & 545 to check binary data posts, both static (in place)

--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -45,6 +45,8 @@ This release includes the following bugfixes:
   over a HTTP proxy
 o embed the manifest in VC8 builds
 o use valgrind in the tests even when the lib is built shared with libtool
+ o libcurl built with NSS can now ignore the peer verification even whjen the
+   ca cert bundle is absent

 This release includes the following known bugs:


--- a/lib/nss.c
+++ b/lib/nss.c
@@ -909,9 +909,12 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
                           NULL) != SECSuccess)
    goto error;

-  if (data->set.ssl.CAfile) {
-    rv = nss_load_cert(data->set.ssl.CAfile, PR_TRUE);
-    if (!rv) {
+  if(!data->set.ssl.verifypeer)
+    /* skip the verifying of the peer */
+    ;
+  else if (data->set.ssl.CAfile) {
+    int rc = nss_load_cert(data->set.ssl.CAfile, PR_TRUE);
+    if (!rc) {
      curlerr = CURLE_SSL_CACERT_BADFILE;
      goto error;
    }
@@ -954,8 +957,8 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
        data->set.ssl.CApath ? data->set.ssl.CApath : "none");

  if(data->set.str[STRING_CERT]) {
-    char * n;
-    char * nickname;
+    char *n;
+    char *nickname;

    nickname = (char *)malloc(PATH_MAX);
    if(is_file(data->set.str[STRING_CERT])) {
@@ -973,7 +976,7 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
      goto error;
    }
    if (!cert_stuff(conn, data->set.str[STRING_CERT],
-        data->set.str[STRING_KEY])) {
+                    data->set.str[STRING_KEY])) {
      /* failf() is already done in cert_stuff() */
      free(nickname);
      return CURLE_SSL_CERTPROBLEM;
@@ -983,7 +986,7 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
    if(SSL_GetClientAuthDataHook(model,
                                 (SSLGetClientAuthData) SelectClientCert,
                                 (void *)connssl->client_nickname) !=
-                                 SECSuccess) {
+       SECSuccess) {
      curlerr = CURLE_SSL_CERTPROBLEM;
      goto error;
    }