generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Made libcurl built with NSS possible to ignore the peer verification.

Browse Source 
Previously it would fail if the ca bundle wasn't present, even if the code
ignored the verification results.
This commit is contained in:
Daniel Stenberg
2007-10-25 21:08:55 +00:00
parent 1eac702c1a
commit 6a17cae4f6
3 changed files with 17 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@@ -6,6 +6,11 @@
Changelog Changelog
Daniel S (25 October 2007)
- Made libcurl built with NSS possible to ignore the peer verification.
Previously it would fail if the ca bundle wasn't present, even if the code
ignored the verification results.
Patrick M (25 October 2007) Patrick M (25 October 2007)
- Fixed test server to allow null bytes in binary posts. - Fixed test server to allow null bytes in binary posts.
_ Added tests 35, 544 & 545 to check binary data posts, both static (in place) _ Added tests 35, 544 & 545 to check binary data posts, both static (in place)

2
RELEASE-NOTES
View File

@@ -45,6 +45,8 @@ This release includes the following bugfixes:
over a HTTP proxy over a HTTP proxy
o embed the manifest in VC8 builds o embed the manifest in VC8 builds
o use valgrind in the tests even when the lib is built shared with libtool o use valgrind in the tests even when the lib is built shared with libtool
o libcurl built with NSS can now ignore the peer verification even whjen the
ca cert bundle is absent
This release includes the following known bugs: This release includes the following known bugs:

17
lib/nss.c
View File

@@ -909,9 +909,12 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
NULL) != SECSuccess) NULL) != SECSuccess)
goto error; goto error;
if (data->set.ssl.CAfile) { if(!data->set.ssl.verifypeer)
rv = nss_load_cert(data->set.ssl.CAfile, PR_TRUE); /* skip the verifying of the peer */
if (!rv) { ;
else if (data->set.ssl.CAfile) {
int rc = nss_load_cert(data->set.ssl.CAfile, PR_TRUE);
if (!rc) {
curlerr = CURLE_SSL_CACERT_BADFILE; curlerr = CURLE_SSL_CACERT_BADFILE;
goto error; goto error;
} }
@@ -954,8 +957,8 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
data->set.ssl.CApath ? data->set.ssl.CApath : "none"); data->set.ssl.CApath ? data->set.ssl.CApath : "none");
if(data->set.str[STRING_CERT]) { if(data->set.str[STRING_CERT]) {
char * n; char *n;
char * nickname; char *nickname;
nickname = (char *)malloc(PATH_MAX); nickname = (char *)malloc(PATH_MAX);
if(is_file(data->set.str[STRING_CERT])) { if(is_file(data->set.str[STRING_CERT])) {
@@ -973,7 +976,7 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
goto error; goto error;
} }
if (!cert_stuff(conn, data->set.str[STRING_CERT], if (!cert_stuff(conn, data->set.str[STRING_CERT],
data->set.str[STRING_KEY])) { data->set.str[STRING_KEY])) {
/* failf() is already done in cert_stuff() */ /* failf() is already done in cert_stuff() */
free(nickname); free(nickname);
return CURLE_SSL_CERTPROBLEM; return CURLE_SSL_CERTPROBLEM;
@@ -983,7 +986,7 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
if(SSL_GetClientAuthDataHook(model, if(SSL_GetClientAuthDataHook(model,
(SSLGetClientAuthData) SelectClientCert, (SSLGetClientAuthData) SelectClientCert,
(void *)connssl->client_nickname) != (void *)connssl->client_nickname) !=
SECSuccess) { SECSuccess) {
curlerr = CURLE_SSL_CERTPROBLEM; curlerr = CURLE_SSL_CERTPROBLEM;
goto error; goto error;
} }