cURL / Mailing Lists / curl-users / Single Mail

curl-users

[ curl-Bugs-445234 ] CA verification always fail

From: <noreply_at_sourceforge.net>
Date: Fri, 27 Jul 2001 09:54:25 -0700

Bugs item #445234, was opened at 2001-07-27 09:54
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=100976&aid=445234&group_id=976

Category: https
Group: wrong behaviour
Status: Open
Resolution: None
Priority: 5
Submitted By: Patrick Bihan-Faou (pbf)
Assigned to: Daniel Stenberg (bagder)
Summary: CA verification always fail

Initial Comment:
Hi,

The code in lib/ssluse.c that does the CA verification
does not check for the return code of "SSL_ge
t_verify_result()" (line xxx) should be checked again
X509_V_OK (0) before failing the verification.

root_at_nitro# curl -V
curl 7.8 (i386--freebsd4.3) libcurl 7.8 (OpenSSL 0.9.6)

The following patch fixes the issue:

root_at_nitro# diff -u ssluse.c.orig ssluse.c
--- ssluse.c.orig Wed May 30 04:00:29 2001
+++ ssluse.c Fri Jul 27 12:43:24 2001
@@ -392,10 +392,11 @@
      deallocating the certificate. */
     
   if(data->ssl.verifypeer) {
- data->ssl.certverifyresult=SSL_get_verify_result
(conn->ssl.handle);
- failf(data, "SSL certificate verify result: %d\n",
- data->ssl.certverifyresult);
- retcode = CURLE_SSL_PEER_CERTIFICATE;
+ if ((data-
>ssl.certverifyresult=SSL_get_verify_result(conn-
>ssl.handle)) != X509_V_OK) {
+ failf(data, "SSL certificate verify result: %
d\n",
+ data->ssl.certverifyresult);
+ retcode = CURLE_SSL_PEER_CERTIFICATE;
+ }
   }
   else
     data->ssl.certverifyresult=0;

 

----------------------------------------------------------------------

You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=100976&aid=445234&group_id=976
Received on 2001-07-27