openssl: if verifypeer is not requested, skip the CA loading #7892
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It was previously done mostly to show a match/non-match in the verbose output even when verification was not asked for. This change skips the loading of the CA certs unless verifypeer is set to save memory and CPU.
|
This commit is causing the problem in our application that uses libcurl. Please see the old comment for more details on this. IMO, we should revert this commit. |
|
I think a start would be to file an issue explaining the problem. |
|
Interesting (and glad) to see this has been re-added after my previous commit has been reverted. After my PR in #2290, I've added a note in https://github.com/pschlan/curl/blob/master/docs/libcurl/opts/CURLOPT_SSL_VERIFYPEER.3#L61-L68 to document the expensive loading of the ca file despite VERIFYPEER being disabled. Should we remove this note now? |
|
Oh nice catch @pschlan, yes we should. You wanna do it? |
pschlan
added a commit
to pschlan/curl
that referenced
this pull request
Oct 30, 2022
This note became obsolete since PR curl#7892 (see also discussion in the PR comments).
pschlan
added a commit
to pschlan/curl
that referenced
this pull request
Oct 30, 2022
This note became obsolete since PR curl#7892 (see also discussion in the PR comments).
jay
added a commit
to jay/curl
that referenced
this pull request
Jan 5, 2023
This commit restores the behavior of CURLSSLOPT_NATIVE_CA so that it does not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default locations. Instead the CA store can be used at the same time. --- This behavior was originally added over two years ago in abbc5d6 (curl#5585) but then 83393b1 (curl#7892) broke it two months ago, I assume inadvertently. The CURLSSLOPT_NATIVE_CA feature is marked experimental and likely rarely used. Ref: curl#5585 Ref: curl#7892 Ref: https://curl.se/mail/lib-2023-01/0019.html Closes #xxxx
jay
added a commit
to jay/curl
that referenced
this pull request
Jan 11, 2023
.. and remove 'experimental' designation from CURLSSLOPT_NATIVE_CA. This commit restores the behavior of CURLSSLOPT_NATIVE_CA so that it does not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default locations. Instead the CA store can be used at the same time. --- This behavior was originally added over two years ago in abbc5d6 (curl#5585) but then 83393b1 (curl#7892) broke it two months ago, I assume inadvertently. The CURLSSLOPT_NATIVE_CA feature was marked experimental and likely rarely used. Ref: curl#5585 Ref: curl#7892 Ref: https://curl.se/mail/lib-2023-01/0019.html Closes #xxxx
jay
added a commit
that referenced
this pull request
Jan 17, 2023
.. and remove 'experimental' designation from CURLSSLOPT_NATIVE_CA. This commit restores the behavior of CURLSSLOPT_NATIVE_CA so that it does not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default locations. Instead the native Windows CA store can be used at the same time. --- This behavior was originally added over two years ago in abbc5d6 (#5585) but then 83393b1 (#7892) broke it over a year ago, I assume inadvertently. The CURLSSLOPT_NATIVE_CA feature was marked experimental and likely rarely used. Ref: #5585 Ref: #7892 Ref: https://curl.se/mail/lib-2023-01/0019.html Closes #10244
bch
pushed a commit
to bch/curl
that referenced
this pull request
Jul 19, 2023
.. and remove 'experimental' designation from CURLSSLOPT_NATIVE_CA. This commit restores the behavior of CURLSSLOPT_NATIVE_CA so that it does not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default locations. Instead the native Windows CA store can be used at the same time. --- This behavior was originally added over two years ago in abbc5d6 (curl#5585) but then 83393b1 (curl#7892) broke it over a year ago, I assume inadvertently. The CURLSSLOPT_NATIVE_CA feature was marked experimental and likely rarely used. Ref: curl#5585 Ref: curl#7892 Ref: https://curl.se/mail/lib-2023-01/0019.html Closes curl#10244
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It was previously done mostly to show a match/non-match in the verbose
output even when verification was not asked for. This change skips the
loading of the CA certs unless verifypeer is set to save memory and CPU.