diff -r -b -c curl-7.10.7.orig/lib/sendf.c curl-7.10.7/lib/sendf.c
*** curl-7.10.7.orig/lib/sendf.c	Mon Aug 11 11:56:06 2003
--- curl-7.10.7/lib/sendf.c	Thu Oct 16 19:01:37 2003
***************
*** 386,392 ****
        case SSL_ERROR_WANT_WRITE:
          /* there's data pending, re-invoke SSL_read() */
          return -1; /* basicly EWOULDBLOCK */
!       case SSL_ERROR_SYSCALL:
          /* openssl/ssl.h says "look at error stack/return value/errno" */
        {
          char error_buffer[120]; /* OpenSSL documents that this must be at least
--- 386,392 ----
        case SSL_ERROR_WANT_WRITE:
          /* there's data pending, re-invoke SSL_read() */
          return -1; /* basicly EWOULDBLOCK */
!       default:
          /* openssl/ssl.h says "look at error stack/return value/errno" */
        {
          char error_buffer[120]; /* OpenSSL documents that this must be at least
***************
*** 397,405 ****
                Curl_ourerrno() );
        }
        return CURLE_RECV_ERROR;
-       default:
-         failf(conn->data, "SSL read error: %d", err);
-         return CURLE_RECV_ERROR;
        }
      }
    }
--- 397,402 ----
diff -r -b -c curl-7.10.7.orig/lib/ssluse.c curl-7.10.7/lib/ssluse.c
*** curl-7.10.7.orig/lib/ssluse.c	Thu Oct 16 19:30:04 2003
--- curl-7.10.7/lib/ssluse.c	Wed Oct 22 18:30:53 2003
***************
*** 815,835 ****
      }
    }
  
!   if(data->set.ssl.verifypeer) {
!     SSL_CTX_set_verify(conn->ssl.ctx,
!                        SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|
!                        SSL_VERIFY_CLIENT_ONCE,
!                        cert_verify_callback);
!     if ((data->set.ssl.CAfile || data->set.ssl.CApath) &&
!         !SSL_CTX_load_verify_locations(conn->ssl.ctx,
!                                        data->set.ssl.CAfile,
                                         data->set.ssl.CApath)) {
!       failf(data,"error setting certificate verify locations");
        return CURLE_SSL_CACERT;
!     }
!   }
!   else
      SSL_CTX_set_verify(conn->ssl.ctx, SSL_VERIFY_NONE, cert_verify_callback);
  
    /* give application a chance to interfere with SSL set up. */
    if (data->set.ssl.fsslctx) {
--- 815,859 ----
      }
    }
  
!   if (data->set.ssl.CAfile || data->set.ssl.CApath) {
!     /* tell SSL where to find CA certificates that are used to verify
!        the servers certificate. */
!     if (!SSL_CTX_load_verify_locations(conn->ssl.ctx, data->set.ssl.CAfile,
          data->set.ssl.CApath)) {
!       if (data->set.ssl.verifypeer) {
! 	/* Fail if we insist on successfully verifying the server. */
!         failf(data,"error setting certificate verify locations:\n"
!           "  CAfile: %s\n  CApath: %s\n",
!           data->set.ssl.CAfile ? data->set.ssl.CAfile : "none",
!           data->set.ssl.CApath ? data->set.ssl.CApath : "none");
          return CURLE_SSL_CACERT;
!       } else {
! 	/* Just continue with a warning if no strict  certificate verification
! 	  is required. */
!         infof(data,"error setting certificate verify locations, continuing anyway:\n");
!         infof(data, "  CAfile: %s\n",
!           data->set.ssl.CAfile ? data->set.ssl.CAfile : "none");
!         infof(data, "  CApath: %s\n",
!           data->set.ssl.CApath ? data->set.ssl.CApath : "none");
!       }
!     } else {
!       /* Everything is fine. */
!       infof(data,"successfully set certificate verify locations:\n");
!       infof(data, "  CAfile: %s\n",
!         data->set.ssl.CAfile ? data->set.ssl.CAfile : "none");
!       infof(data, "  CApath: %s\n",
!         data->set.ssl.CApath ? data->set.ssl.CApath : "none");
!     }
!   }
!   /* SSL always tries to verify the peer, this only says whether it should fail
!      to connect if the verification fails, or if it should continue anyway. In
!      the latter case the result of the verification is checked with
!      SSL_get_verify_result() below. */
!   if(data->set.ssl.verifypeer) {
!     SSL_CTX_set_verify(conn->ssl.ctx, SSL_VERIFY_PEER, cert_verify_callback);
!   } else {
      SSL_CTX_set_verify(conn->ssl.ctx, SSL_VERIFY_NONE, cert_verify_callback);
+   }
  
    /* give application a chance to interfere with SSL set up. */
    if (data->set.ssl.fsslctx) {
***************
*** 1054,1069 ****
    /* We could do all sorts of certificate verification stuff here before
       deallocating the certificate. */
  
!   if(data->set.ssl.verifypeer) {
!     data->set.ssl.certverifyresult=SSL_get_verify_result(conn->ssl.handle);
      if (data->set.ssl.certverifyresult != X509_V_OK) {
        failf(data, "SSL certificate verify result: %d",
              data->set.ssl.certverifyresult);
        retcode = CURLE_SSL_PEER_CERTIFICATE;
      }
    }
-   else
-     data->set.ssl.certverifyresult=0;
  
    X509_free(conn->ssl.server_cert);
  #else /* USE_SSLEAY */
--- 1078,1098 ----
    /* We could do all sorts of certificate verification stuff here before
       deallocating the certificate. */
  
!   data->set.ssl.certverifyresult = SSL_get_verify_result(conn->ssl.handle);
    if (data->set.ssl.certverifyresult != X509_V_OK) {
+     if (data->set.ssl.verifypeer) {
+       /* We probably never reach this, because SSL_connect() will fail
+          and we return earlyer if verifypeer is set? */
        failf(data, "SSL certificate verify result: %d",
              data->set.ssl.certverifyresult);
        retcode = CURLE_SSL_PEER_CERTIFICATE;
+     } else {
+       infof(data, "SSL certificate verify result: %d, continuing anyway.\n",
+             data->set.ssl.certverifyresult);
      }
+   } else {
+     infof(data, "SSL certificate verify ok.\n");
    }
  
    X509_free(conn->ssl.server_cert);
  #else /* USE_SSLEAY */