generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

nss: do not ignore value of CURLOPT_SSL_VERIFYPEER

Browse Source 
When NSS-powered libcurl connected to a SSL server with
CURLOPT_SSL_VERIFYPEER equal to zero, NSS remembered that the peer
certificate was accepted by libcurl and did not ask the second time when
connecting to the same server with CURLOPT_SSL_VERIFYPEER equal to one.

This patch turns off the SSL session cache for the particular SSL socket
if peer verification is disabled.  In order to avoid any performance
impact, the peer verification is completely skipped in that case, which
makes it even faster than before.

Bug: https://bugzilla.redhat.com/678580
This commit is contained in:
Kamil Dudka
2011-03-15 14:52:26 +01:00
parent 5a433a033f
commit 806dbb022b
3 changed files with 37 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/libcurl/curl_easy_setopt.3
View File

@@ -2007,7 +2007,10 @@ The default value for this option is 2.
This option controls checking the server's certificate's claimed identity.
The server could be lying. To control lying, see
\fICURLOPT_SSL_VERIFYPEER\fP.
\fICURLOPT_SSL_VERIFYPEER\fP. If libcurl is built against NSS and
\fICURLOPT_SSL_VERIFYPEER\fP is zero, \fICURLOPT_SSL_VERIFYHOST\fP
is ignored.
.IP CURLOPT_CERTINFO
Pass a long set to 1 to enable libcurl's certificate chain info gatherer. With
this enabled, libcurl (if built with OpenSSL) will extract lots of information