curl-library
Re: Does curl REALLY ignore CURLOPT_SSL_VERIFYPEER / CURLOPT_SSL_VERIFYHOST?
Date: Tue, 27 Nov 2007 23:33:49 +0100
sure... this is probably the simplest fix:
#1 -------8<-------8<-------8<-------8<-------8<-------8<-------8<-------8<-------
diff -ruN curl-7.16.4/lib/ssluse.c curl-7.16.4-pp/lib/ssluse.c
--- curl-7.16.4/lib/ssluse.c 2007-05-22 22:46:51.000000000 +0200
+++ curl-7.16.4-pp/lib/ssluse.c 2007-11-27 23:19:48.000000000 +0100
@@ -1632,9 +1632,15 @@
/* Get server's certificate (note: beware of dynamic allocation) - opt */
/* major serious hack alert -- we should check certificates
* to authenticate the server; otherwise we risk man-in-the-middle
- * attack
+ * attack; NEVERTHELESS, if we're told explicitly not to verify
+ * the peer let's just move on..
*/
+ if(!data->set.ssl.verifypeer) {
+ connssl->connecting_state = ssl_connect_done;
+ return retcode;
+ }
+
connssl->server_cert = SSL_get_peer_certificate(connssl->handle);
if(!connssl->server_cert) {
failf(data, "SSL: couldn't get peer certificate!");
#1 -------8<-------8<-------8<-------8<-------8<-------8<-------8<-------8<-------
On Nov 27, 2007 11:04 PM, Daniel Stenberg <daniel_at_haxx.se> wrote:
> On Tue, 27 Nov 2007, paranoid paranoia wrote:
>
> > The following snippet in Curl_ossl_connect_step3 causes aborted connection
> > attempts even when curl is rather clearly instructed to not bother checking
> > the peer's certificate:
>
> I can only agree that this code should not be failing if no verification of
> the certificate is requested. The docs for the SSL_get_peer_certificate()
> function says it can return NULL when "No certificate was presented by the
> peer" and in a non-verification case that should be fine for libcurl!
>
> You up to providing a patch that corrects this?
>
> --
> Commercial curl and libcurl Technical Support: http://haxx.se/curl.html
>
Received on 2007-11-27