- PHP's bug report #43158 (http://bugs.php.net/bug.php?id=43158) identifies a
true bug in libcurl built with OpenSSL. It made curl_easy_getinfo() more or less always return 0 for CURLINFO_SSL_VERIFYRESULT because the function that would set it to something non-zero would return before the assign in almost all error cases. The internal variable is now set to non-zero from the start of the function only to get cleared later on if things work out fine.
This commit is contained in:
		
							
								
								
									
										10
									
								
								CHANGES
									
									
									
									
									
								
							
							
						
						
									
										10
									
								
								CHANGES
									
									
									
									
									
								
							| @@ -6,6 +6,16 @@ | ||||
|  | ||||
|                                   Changelog | ||||
|  | ||||
| Daniel Stenberg (30 Jul 2008) | ||||
| - PHP's bug report #43158 (http://bugs.php.net/bug.php?id=43158) identifies a | ||||
|   true bug in libcurl built with OpenSSL. It made curl_easy_getinfo() more or | ||||
|   less always return 0 for CURLINFO_SSL_VERIFYRESULT because the function that | ||||
|   would set it to something non-zero would return before the assign in almost | ||||
|   all error cases. The internal variable is now set to non-zero from the start | ||||
|   of the function only to get cleared later on if things work out fine. | ||||
|  | ||||
| - Made the curl tool's -w option support the %{ssl_verify_result} variable | ||||
|  | ||||
| Daniel Fandrich (30 Jul 2008) | ||||
| - Added test cases 1052 through 1055 to test uploading data from files | ||||
|   during redirects.  Test cases 1052 and 1055 show problems (maybe the same | ||||
|   | ||||
| @@ -18,6 +18,7 @@ This release includes the following changes: | ||||
|  o Now builds for the INTEGRITY operating system | ||||
|  o Added CURLINFO_APPCONNECT_TIME | ||||
|  o Added test selection by key word in runtests.pl | ||||
|  o the curl tool's -w option support the %{ssl_verify_result} variable | ||||
|  | ||||
| This release includes the following bugfixes: | ||||
|  | ||||
| @@ -37,6 +38,7 @@ This release includes the following bugfixes: | ||||
|  o user-agent in CONNECT with non-HTTP protocols | ||||
|  o CURL_READFUNC_PAUSE problems fixed | ||||
|  o --use-ascii now works on Symbian OS, MS-DOS and OS/2 | ||||
|  o CURLINFO_SSL_VERIFYRESULT is fixed | ||||
|  | ||||
| This release includes the following known bugs: | ||||
|  | ||||
|   | ||||
							
								
								
									
										44
									
								
								lib/ssluse.c
									
									
									
									
									
								
							
							
						
						
									
										44
									
								
								lib/ssluse.c
									
									
									
									
									
								
							| @@ -1444,7 +1444,7 @@ ossl_connect_step1(struct connectdata *conn, | ||||
|     lookup=X509_STORE_add_lookup(connssl->ctx->cert_store,X509_LOOKUP_file()); | ||||
|     if ( !lookup || | ||||
|          (X509_load_crl_file(lookup,data->set.str[STRING_SSL_CRLFILE], | ||||
| 			     X509_FILETYPE_PEM)!=1) ) { | ||||
|                              X509_FILETYPE_PEM)!=1) ) { | ||||
|       failf(data,"error loading CRL file :\n" | ||||
|             "  CRLfile: %s\n", | ||||
|             data->set.str[STRING_SSL_CRLFILE]? | ||||
| @@ -1455,11 +1455,11 @@ ossl_connect_step1(struct connectdata *conn, | ||||
|       /* Everything is fine. */ | ||||
|       infof(data, "successfully load CRL file:\n"); | ||||
|       X509_STORE_set_flags(connssl->ctx->cert_store, | ||||
| 			   X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); | ||||
|                            X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); | ||||
|     } | ||||
|     infof(data, | ||||
|           "  CRLfile: %s\n", data->set.str[STRING_SSL_CRLFILE] ? | ||||
| 	  data->set.str[STRING_SSL_CRLFILE]: "none"); | ||||
|           data->set.str[STRING_SSL_CRLFILE]: "none"); | ||||
|   } | ||||
|  | ||||
|   /* SSL always tries to verify the peer, this only says whether it should | ||||
| @@ -1639,6 +1639,8 @@ static CURLcode servercert(struct connectdata *conn, | ||||
|   X509 *issuer; | ||||
|   FILE *fp; | ||||
|  | ||||
|   data->set.ssl.certverifyresult = !X509_V_OK; | ||||
|  | ||||
|   connssl->server_cert = SSL_get_peer_certificate(connssl->handle); | ||||
|   if(!connssl->server_cert) { | ||||
|     if(strict) | ||||
| @@ -1692,34 +1694,34 @@ static CURLcode servercert(struct connectdata *conn, | ||||
|     if (data->set.str[STRING_SSL_ISSUERCERT]) { | ||||
|       if (! (fp=fopen(data->set.str[STRING_SSL_ISSUERCERT],"r"))) { | ||||
|         if (strict) | ||||
| 	  failf(data, "SSL: Unable to open issuer cert (%s)\n", | ||||
| 		data->set.str[STRING_SSL_ISSUERCERT]); | ||||
| 	X509_free(connssl->server_cert); | ||||
| 	connssl->server_cert = NULL; | ||||
| 	return CURLE_SSL_ISSUER_ERROR; | ||||
|           failf(data, "SSL: Unable to open issuer cert (%s)\n", | ||||
|                 data->set.str[STRING_SSL_ISSUERCERT]); | ||||
|         X509_free(connssl->server_cert); | ||||
|         connssl->server_cert = NULL; | ||||
|         return CURLE_SSL_ISSUER_ERROR; | ||||
|       } | ||||
|       issuer = PEM_read_X509(fp,NULL,ZERO_NULL,NULL); | ||||
|       if (!issuer) { | ||||
|         if (strict) | ||||
| 	  failf(data, "SSL: Unable to read issuer cert (%s)\n", | ||||
| 		data->set.str[STRING_SSL_ISSUERCERT]); | ||||
| 	X509_free(connssl->server_cert); | ||||
| 	X509_free(issuer); | ||||
| 	fclose(fp); | ||||
| 	return CURLE_SSL_ISSUER_ERROR; | ||||
|           failf(data, "SSL: Unable to read issuer cert (%s)\n", | ||||
|                 data->set.str[STRING_SSL_ISSUERCERT]); | ||||
|         X509_free(connssl->server_cert); | ||||
|         X509_free(issuer); | ||||
|         fclose(fp); | ||||
|         return CURLE_SSL_ISSUER_ERROR; | ||||
|       } | ||||
|       fclose(fp); | ||||
|       if (X509_check_issued(issuer,connssl->server_cert) != X509_V_OK) { | ||||
|         if (strict) | ||||
| 	  failf(data, "SSL: Certificate issuer check failed (%s)\n", | ||||
| 		data->set.str[STRING_SSL_ISSUERCERT]); | ||||
| 	X509_free(connssl->server_cert); | ||||
| 	X509_free(issuer); | ||||
| 	connssl->server_cert = NULL; | ||||
|           failf(data, "SSL: Certificate issuer check failed (%s)\n", | ||||
|                 data->set.str[STRING_SSL_ISSUERCERT]); | ||||
|         X509_free(connssl->server_cert); | ||||
|         X509_free(issuer); | ||||
|         connssl->server_cert = NULL; | ||||
|         return CURLE_SSL_ISSUER_ERROR; | ||||
|       } | ||||
|       infof(data, "\t SSL certificate issuer check ok (%s)\n", | ||||
| 	    data->set.str[STRING_SSL_ISSUERCERT]); | ||||
|             data->set.str[STRING_SSL_ISSUERCERT]); | ||||
|       X509_free(issuer); | ||||
|     } | ||||
|  | ||||
| @@ -1728,7 +1730,7 @@ static CURLcode servercert(struct connectdata *conn, | ||||
|     if(data->set.ssl.certverifyresult != X509_V_OK) { | ||||
|       if(data->set.ssl.verifypeer) { | ||||
|         /* We probably never reach this, because SSL_connect() will fail | ||||
|            and we return earlyer if verifypeer is set? */ | ||||
|            and we return earlier if verifypeer is set? */ | ||||
|         if(strict) | ||||
|           failf(data, "SSL certificate verify result: %s (%ld)", | ||||
|                 X509_verify_cert_error_string(lerr), lerr); | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Daniel Stenberg
					Daniel Stenberg