Commit e78652d8 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

- Made the gnutls code path not even try to get the server cert if no peer 

  verification is requested. Previously it would even return failure if gnutls
  failed to get the server cert even though no verification was asked for.

- Fix my Curl_timeleft() leftover mistake in the gnutls code
parent 48918c30

CHANGES

+7 −0
Original line number Diff line number Diff line
@@ -7,6 +7,13 @@ 
                                  Changelog



Daniel S (15 Feb 2008)

- Made the gnutls code path not even try to get the server cert if no peer

  verification is requested. Previously it would even return failure if gnutls

  failed to get the server cert even though no verification was asked for.

  Public server showing the problem: https://www.net222.caisse-epargne.fr



- Fix my Curl_timeleft() leftover mistake in the gnutls code



- Pooyan McSporran found and fixed a flaw where you first would do a normal

  http request and then you'd reuse the handle and replace the Accept: header,

  as then libcurl would send two Accept: headers!

RELEASE-NOTES

+2 −0
Original line number Diff line number Diff line
@@ -20,6 +20,8 @@ This release includes the following bugfixes: 
 o GnuTLS-built libcurl failed when doing global cleanup and reinit

 o error message problem when unable to resolve a host on Windows

 o Accept: header replacing

 o not verificating server certs with gnutls still failed if gnutls had problems

   with the cert



This release includes the following known bugs:

lib/gtls.c

+25 −21
Original line number Diff line number Diff line
@@ -156,7 +156,7 @@ static CURLcode handshake(struct connectdata *conn, 
    rc = gnutls_handshake(session);



    if((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED)) {

      long timeout_ms = Curl_connecttimeleft(conn, NULL, duringconnect);

      long timeout_ms = Curl_timeleft(conn, NULL, duringconnect);



      if(timeout_ms < 0) {

        /* a precaution, no need to continue if time already is up */
@@ -336,19 +336,20 @@ Curl_gtls_connect(struct connectdata *conn, 


  chainp = gnutls_certificate_get_peers(session, &cert_list_size);

  if(!chainp) {

    if(data->set.ssl.verifyhost) {

    if(data->set.ssl.verifypeer) {

      failf(data, "failed to get server cert");

      return CURLE_PEER_FAILED_VERIFICATION;

    }

    infof(data, "\t common name: WARNING couldn't obtain\n");

  }



  if(data->set.ssl.verifypeer) {

    /* This function will try to verify the peer's certificate and return its

     status (trusted, invalid etc.). The value of status should be one or more

     of the gnutls_certificate_status_t enumerated elements bitwise or'd. To

     avoid denial of service attacks some default upper limits regarding the

     certificate key size and chain size are set. To override them use

     gnutls_certificate_set_verify_limits(). */

       status (trusted, invalid etc.). The value of status should be one or

       more of the gnutls_certificate_status_t enumerated elements bitwise

       or'd. To avoid denial of service attacks some default upper limits

       regarding the certificate key size and chain size are set. To override

       them use gnutls_certificate_set_verify_limits(). */



    rc = gnutls_certificate_verify_peers2(session, &verify_status);

    if(rc < 0) {
@@ -368,6 +369,9 @@ Curl_gtls_connect(struct connectdata *conn, 
    }

    else

      infof(data, "\t server certificate verification OK\n");

  }

  else

    infof(data, "\t server certificate verification SKIPPED\n");



  /* initialize an X.509 certificate structure. */

  gnutls_x509_crt_init(&x509_cert);