Fixed BearSSL bug: error on CURLOPT_SSL_VERIFYPEER 0 and expired cert #8475
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Separated from: #8106
The x509_minimal engine of BearSSL is used to parse the certificate chain. When verifypeer is set to 0 the result of the end_chain method (
xm_end_chain
) is overridden to returnBR_ERR_OK
so that the chain is deemed valid even if it is not. The engine is also used to extract the public key from the cert. However, because the x509_minimal engine stops parsing if any validity check fails the parsing can stop before the public key is extracted. Checking the BearSSL code in x509_minimal.t0:decode-certificate
we can see that this can happen for example forERR_X509_EXPIRED
. This will mean thatx509_get_pkey
will return no key if the cert is expired and verifypeer is set to 0, what will result inbearssl_run_until
returningCURLE_SSL_CONNECT_ERROR
.This is fixed by using the x509_decode engine instead of the x509_minimal engine to parse and extract the public key from the first cert of the chain.