Commit ca6ea6d9 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

TLS: make SSL_VERIFYSTATUS work again 

The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
and thus even if the status couldn't be verified, the connection would
be allowed and the user would not be told about the failed verification.

Regression since cb4e2be7

CVE-2017-2629
Bug: https://curl.haxx.se/docs/adv_20170222.html

Reported-by: Marcus Hoffmann
parent af5fbb14

lib/url.c

+3 −0
Original line number Diff line number Diff line
@@ -4173,8 +4173,11 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) 
  conn->bits.ftp_use_epsv = data->set.ftp_use_epsv;

  conn->bits.ftp_use_eprt = data->set.ftp_use_eprt;



  conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;

  conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;

  conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;

  conn->proxy_ssl_config.verifystatus =

    data->set.proxy_ssl.primary.verifystatus;

  conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;

  conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;