diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 363352a2b..5b6274cf9 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -14,6 +14,7 @@ This release includes the following changes: This release includes the following bugfixes: o nss: avoid memory leak on SSL connection failure + o nss: do not ignore failure of SSL handshake o This release includes the following known bugs: diff --git a/lib/nss.c b/lib/nss.c index d26ad5b78..be26253c4 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -1157,7 +1157,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) struct SessionHandle *data = conn->data; curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - int curlerr; + CURLcode curlerr; const int *cipher_to_enable; PRSocketOptionData sock_opt; long time_left; @@ -1289,9 +1289,13 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) NULL) != SECSuccess) goto error; - if(data->set.ssl.verifypeer && (CURLE_OK != - (curlerr = nss_load_ca_certificates(conn, sockindex)))) - goto error; + if(data->set.ssl.verifypeer) { + const CURLcode rv = nss_load_ca_certificates(conn, sockindex); + if(CURLE_OK != rv) { + curlerr = rv; + goto error; + } + } if (data->set.ssl.CRLfile) { if(SECSuccess != nss_load_crl(data->set.ssl.CRLfile)) {