[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 50/150: openssl: Don't add verify locations when ve
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 50/150: openssl: Don't add verify locations when verifypeer==0 |
Date: |
Fri, 30 Mar 2018 16:48:24 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit dc85437736e1fc90e689bb1f6c51c8f1aa9430eb
Author: Patrick Schlangen <address@hidden>
AuthorDate: Mon Feb 5 17:17:15 2018 +0100
openssl: Don't add verify locations when verifypeer==0
When peer verification is disabled, calling
SSL_CTX_load_verify_locations is not necessary. Only call it when
verification is enabled to save resources and increase performance.
Closes #2290
---
lib/vtls/openssl.c | 31 +++++++++++++++----------------
1 file changed, 15 insertions(+), 16 deletions(-)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 0d7baca8b..2a6b3cfac 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2338,10 +2338,11 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
#endif
if(ssl_cafile || ssl_capath) {
- /* tell SSL where to find CA certificates that are used to verify
- the servers certificate. */
- if(!SSL_CTX_load_verify_locations(BACKEND->ctx, ssl_cafile, ssl_capath)) {
- if(verifypeer) {
+ if(verifypeer) {
+ /* tell SSL where to find CA certificates that are used to verify
+ the servers certificate. */
+ if(!SSL_CTX_load_verify_locations(BACKEND->ctx,
+ ssl_cafile, ssl_capath)) {
/* Fail if we insist on successfully verifying the server. */
failf(data, "error setting certificate verify locations:\n"
" CAfile: %s\n CApath: %s",
@@ -2349,20 +2350,18 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
ssl_capath ? ssl_capath : "none");
return CURLE_SSL_CACERT_BADFILE;
}
- /* Just continue with a warning if no strict certificate verification
- is required. */
- infof(data, "error setting certificate verify locations,"
- " continuing anyway:\n");
+ else {
+ /* Everything is fine. */
+ infof(data, "successfully set certificate verify locations:\n"
+ " CAfile: %s\n CApath: %s\n",
+ ssl_cafile ? ssl_cafile : "none",
+ ssl_capath ? ssl_capath : "none");
+ }
}
else {
- /* Everything is fine. */
- infof(data, "successfully set certificate verify locations:\n");
- }
- infof(data,
- " CAfile: %s\n"
- " CApath: %s\n",
- ssl_cafile ? ssl_cafile : "none",
- ssl_capath ? ssl_capath : "none");
+ infof(data, "ignoring certificate verify locations due to "
+ "disabled peer verification\n");
+ }
}
#ifdef CURL_CA_FALLBACK
else if(verifypeer) {
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 55/150: build-openssl.bat: Fixed incorrect move if destination build folder exists, (continued)
- [GNUnet-SVN] [gnurl] 55/150: build-openssl.bat: Fixed incorrect move if destination build folder exists, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 78/150: travis: add build with iconv enabled, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 23/150: curl_ctype: private is*() type macros and functions, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 59/150: get_posix_time: only check for overflows if they can happen!, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 64/150: smtp: fix processing of initial dot in data, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 52/150: fnmatch: optimize processing of consecutive *s and ?s pattern characters, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 47/150: time-cond: fix reading the file modification time on Windows, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 67/150: RELEASE-NOTES: synced with e551910f8, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 43/150: time_t-fixes: remove typecasts to 'long' for info.filetime, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 82/150: TODO: 1.7 Support HTTP/2 for HTTP(S) proxies, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 50/150: openssl: Don't add verify locations when verifypeer==0,
gnunet <=
- [GNUnet-SVN] [gnurl] 42/150: curl_setup: move the precautionary define of SIZEOF_TIME_T, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 28/150: time: support > year 2038 time stamps for system with 32bit long, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 49/150: build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 83/150: TODO: 1.1 Option to refuse usernames in URLs, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 57/150: content_encoding: Add "none" alias to "identity", gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 70/150: libcurl-security.3: the http://192.168.0.1/my_router_config case, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 106/150: TODO: remove "sha-256 digest", added in 2b5b37cb9109e7c2, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 85/150: CURLOPT_HEADERFUNCTION.3: fix typo from d939226813, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 73/150: BINDINGS: fix curb link (and remove ruby-curl-multi), gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 122/150: winbuild: prefer documented zlib library names, gnunet, 2018/03/30