generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

- Changed NSS code to not ignore the value of ssl.verifyhost and produce more

Browse Source 
verbose error messages. Originally reported at:
  https://bugzilla.redhat.com/show_bug.cgi?id=516056
This commit is contained in:
Kamil Dudka
2009-08-13 16:04:51 +00:00
parent 5c716247aa
commit 6293fe98a0
2 changed files with 24 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@@ -6,6 +6,11 @@
Changelog Changelog
Kamil Dudka (13 Aug 2009)
- Changed NSS code to not ignore the value of ssl.verifyhost and produce more
verbose error messages. Originally reported at:
https://bugzilla.redhat.com/show_bug.cgi?id=516056
Daniel Stenberg (12 Aug 2009) Daniel Stenberg (12 Aug 2009)
- Karl Moerder fixed the Makefile.vc* makefiles to include the new file - Karl Moerder fixed the Makefile.vc* makefiles to include the new file
nonblock.c so that they work fine again nonblock.c so that they work fine again

23
lib/nss.c
View File

@@ -615,16 +615,26 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
issuer); issuer);
break; break;
case SSL_ERROR_BAD_CERT_DOMAIN: case SSL_ERROR_BAD_CERT_DOMAIN:
if(conn->data->set.ssl.verifypeer) if(conn->data->set.ssl.verifyhost) {
failf(conn->data, "common name '%s' does not match '%s'",
subject, conn->host.dispname);
success = SECFailure; success = SECFailure;
infof(conn->data, "common name: %s (does not match '%s')\n", } else {
subject, conn->host.dispname); infof(conn->data, "warning: common name '%s' does not match '%s'\n",
subject, conn->host.dispname);
}
break; break;
case SEC_ERROR_EXPIRED_CERTIFICATE: case SEC_ERROR_EXPIRED_CERTIFICATE:
if(conn->data->set.ssl.verifypeer) if(conn->data->set.ssl.verifypeer)
success = SECFailure; success = SECFailure;
infof(conn->data, "Remote Certificate has expired.\n"); infof(conn->data, "Remote Certificate has expired.\n");
break; break;
case SEC_ERROR_UNKNOWN_ISSUER:
if(conn->data->set.ssl.verifypeer)
success = SECFailure;
infof(conn->data, "Peer's certificate issuer is not recognized: '%s'\n",
issuer);
break;
default: default:
if(conn->data->set.ssl.verifypeer) if(conn->data->set.ssl.verifypeer)
success = SECFailure; success = SECFailure;
@@ -1067,6 +1077,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
} }
} }
if(data->set.ssl.verifyhost == 1)
infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n");
data->set.ssl.certverifyresult=0; /* not checked yet */ data->set.ssl.certverifyresult=0; /* not checked yet */
if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn) if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn)
!= SECSuccess) { != SECSuccess) {
@@ -1200,7 +1213,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
if(SSL_ForceHandshakeWithTimeout(connssl->handle, if(SSL_ForceHandshakeWithTimeout(connssl->handle,
PR_SecondsToInterval(HANDSHAKE_TIMEOUT)) PR_SecondsToInterval(HANDSHAKE_TIMEOUT))
!= SECSuccess) { != SECSuccess) {
if(conn->data->set.ssl.certverifyresult!=0) if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
curlerr = CURLE_PEER_FAILED_VERIFICATION;
else if(conn->data->set.ssl.certverifyresult!=0)
curlerr = CURLE_SSL_CACERT; curlerr = CURLE_SSL_CACERT;
goto error; goto error;
} }