cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Does curl REALLY ignore CURLOPT_SSL_VERIFYPEER / CURLOPT_SSL_VERIFYHOST?

From: paranoid paranoia <paranoid.paranoia_at_gmail.com>
Date: Wed, 28 Nov 2007 07:47:52 +0100

actually... that's more like a quick hack that happens to work for me,
since i set CURLOPT_SSL_VERIFYPEER to 0 after having spent a
few hours trying to force curl to *not* make any checks. ideally, if
the cipher spec only alllows anonymous key exchange or pre-shared
keys, one shouldn't have to explicitly disable peer verification...
obviously, my hack doesn't work for those. the more likely solution is
to move the chunk of code that does all the certificate checking to
the 'cert_verify_callback', but i'm not familiar enough with the code
and the general design to be sure. sorry...

--pp

On 11/27/07, paranoid paranoia <paranoid.paranoia_at_gmail.com> wrote:
> sure... this is probably the simplest fix:
>
> #1
> -------8<-------8<-------8<-------8<-------8<-------8<-------8<-------8<-------
> diff -ruN curl-7.16.4/lib/ssluse.c curl-7.16.4-pp/lib/ssluse.c
> --- curl-7.16.4/lib/ssluse.c 2007-05-22 22:46:51.000000000 +0200
> +++ curl-7.16.4-pp/lib/ssluse.c 2007-11-27 23:19:48.000000000 +0100
> @@ -1632,9 +1632,15 @@
> /* Get server's certificate (note: beware of dynamic allocation) - opt */
> /* major serious hack alert -- we should check certificates
> * to authenticate the server; otherwise we risk man-in-the-middle
> - * attack
> + * attack; NEVERTHELESS, if we're told explicitly not to verify
> + * the peer let's just move on..
> */
>
> + if(!data->set.ssl.verifypeer) {
> + connssl->connecting_state = ssl_connect_done;
> + return retcode;
> + }
> +
> connssl->server_cert = SSL_get_peer_certificate(connssl->handle);
> if(!connssl->server_cert) {
> failf(data, "SSL: couldn't get peer certificate!");
> #1
> -------8<-------8<-------8<-------8<-------8<-------8<-------8<-------8<-------
>
>
>
>
>
> On Nov 27, 2007 11:04 PM, Daniel Stenberg <daniel_at_haxx.se> wrote:
> > On Tue, 27 Nov 2007, paranoid paranoia wrote:
> >
> > > The following snippet in Curl_ossl_connect_step3 causes aborted
> connection
> > > attempts even when curl is rather clearly instructed to not bother
> checking
> > > the peer's certificate:
> >
> > I can only agree that this code should not be failing if no verification
> of
> > the certificate is requested. The docs for the SSL_get_peer_certificate()
> > function says it can return NULL when "No certificate was presented by the
> > peer" and in a non-verification case that should be fine for libcurl!
> >
> > You up to providing a patch that corrects this?
> >
> > --
> > Commercial curl and libcurl Technical Support: http://haxx.se/curl.html
> >
>
Received on 2007-11-28