Made libcurl built with NSS possible to ignore the peer verification.

Previously it would fail if the ca bundle wasn't present, even if the code ignored the verification results.
2007-10-25 21:08:55 +00:00 · 2007-10-25 21:08:55 +00:00 · 6a17cae4f6
parent 1eac702c1a
commit 6a17cae4f6
3 changed files with 17 additions and 7 deletions
--- a/5
+++ b/5
@ -6,6 +6,11 @@

                                  Changelog

+Daniel S (25 October 2007)
+- Made libcurl built with NSS possible to ignore the peer verification.
+  Previously it would fail if the ca bundle wasn't present, even if the code
+  ignored the verification results.
+
 Patrick M (25 October 2007)
 - Fixed test server to allow null bytes in binary posts.
 _ Added tests 35, 544 & 545 to check binary data posts, both static (in place)
--- a/2
+++ b/2
@ -45,6 +45,8 @@ This release includes the following bugfixes:
   over a HTTP proxy
 o embed the manifest in VC8 builds
 o use valgrind in the tests even when the lib is built shared with libtool
+ o libcurl built with NSS can now ignore the peer verification even whjen the
+   ca cert bundle is absent

 This release includes the following known bugs:

--- a/lib/nss.c
+++ b/lib/nss.c
@ -909,9 +909,12 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
                           NULL) != SECSuccess)
    goto error;

-  if (data->set.ssl.CAfile) {
-    rv = nss_load_cert(data->set.ssl.CAfile, PR_TRUE);
-    if (!rv) {
+  if(!data->set.ssl.verifypeer)
+    /* skip the verifying of the peer */
+    ;
+  else if (data->set.ssl.CAfile) {
+    int rc = nss_load_cert(data->set.ssl.CAfile, PR_TRUE);
+    if (!rc) {
      curlerr = CURLE_SSL_CACERT_BADFILE;
      goto error;
    }
@ -954,8 +957,8 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
        data->set.ssl.CApath ? data->set.ssl.CApath : "none");

  if(data->set.str[STRING_CERT]) {
-    char * n;
-    char * nickname;
+    char *n;
+    char *nickname;

    nickname = (char *)malloc(PATH_MAX);
    if(is_file(data->set.str[STRING_CERT])) {
@ -973,7 +976,7 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
      goto error;
    }
    if (!cert_stuff(conn, data->set.str[STRING_CERT],
-        data->set.str[STRING_KEY])) {
+                    data->set.str[STRING_KEY])) {
      /* failf() is already done in cert_stuff() */
      free(nickname);
      return CURLE_SSL_CERTPROBLEM;
@ -983,7 +986,7 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
    if(SSL_GetClientAuthDataHook(model,
                                 (SSLGetClientAuthData) SelectClientCert,
                                 (void *)connssl->client_nickname) !=
-                                 SECSuccess) {
+       SECSuccess) {
      curlerr = CURLE_SSL_CERTPROBLEM;
      goto error;
    }