- PHP's bug report #43158 (http://bugs.php.net/bug.php?id=43158) identifies a

true bug in libcurl built with OpenSSL. It made curl_easy_getinfo() more or
  less always return 0 for CURLINFO_SSL_VERIFYRESULT because the function that
  would set it to something non-zero would return before the assign in almost
  all error cases. The internal variable is now set to non-zero from the start
  of the function only to get cleared later on if things work out fine.

CHANGES

@@ -6,6 +6,16 @@
 
                                   Changelog
 
+Daniel Stenberg (30 Jul 2008)
+- PHP's bug report #43158 (http://bugs.php.net/bug.php?id=43158) identifies a
+  true bug in libcurl built with OpenSSL. It made curl_easy_getinfo() more or
+  less always return 0 for CURLINFO_SSL_VERIFYRESULT because the function that
+  would set it to something non-zero would return before the assign in almost
+  all error cases. The internal variable is now set to non-zero from the start
+  of the function only to get cleared later on if things work out fine.
+
+- Made the curl tool's -w option support the %{ssl_verify_result} variable
+
 Daniel Fandrich (30 Jul 2008)
 - Added test cases 1052 through 1055 to test uploading data from files
   during redirects.  Test cases 1052 and 1055 show problems (maybe the same

RELEASE-NOTES

@@ -18,6 +18,7 @@ This release includes the following changes:
  o Now builds for the INTEGRITY operating system
  o Added CURLINFO_APPCONNECT_TIME
  o Added test selection by key word in runtests.pl
+ o the curl tool's -w option support the %{ssl_verify_result} variable
 
 This release includes the following bugfixes:
 
@@ -37,6 +38,7 @@ This release includes the following bugfixes:
  o user-agent in CONNECT with non-HTTP protocols
  o CURL_READFUNC_PAUSE problems fixed
  o --use-ascii now works on Symbian OS, MS-DOS and OS/2
+ o CURLINFO_SSL_VERIFYRESULT is fixed
 
 This release includes the following known bugs:
 

lib/ssluse.c

@@ -1444,7 +1444,7 @@ ossl_connect_step1(struct connectdata *conn,
     lookup=X509_STORE_add_lookup(connssl->ctx->cert_store,X509_LOOKUP_file());
     if ( !lookup ||
          (X509_load_crl_file(lookup,data->set.str[STRING_SSL_CRLFILE],
-			     X509_FILETYPE_PEM)!=1) ) {
+                             X509_FILETYPE_PEM)!=1) ) {
       failf(data,"error loading CRL file :\n"
             "  CRLfile: %s\n",
             data->set.str[STRING_SSL_CRLFILE]?
@@ -1455,11 +1455,11 @@ ossl_connect_step1(struct connectdata *conn,
       /* Everything is fine. */
       infof(data, "successfully load CRL file:\n");
       X509_STORE_set_flags(connssl->ctx->cert_store,
-			   X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+                           X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
     }
     infof(data,
           "  CRLfile: %s\n", data->set.str[STRING_SSL_CRLFILE] ?
-	  data->set.str[STRING_SSL_CRLFILE]: "none");
+          data->set.str[STRING_SSL_CRLFILE]: "none");
   }
 
   /* SSL always tries to verify the peer, this only says whether it should
@@ -1639,6 +1639,8 @@ static CURLcode servercert(struct connectdata *conn,
   X509 *issuer;
   FILE *fp;
 
+  data->set.ssl.certverifyresult = !X509_V_OK;
+
   connssl->server_cert = SSL_get_peer_certificate(connssl->handle);
   if(!connssl->server_cert) {
     if(strict)
@@ -1692,34 +1694,34 @@ static CURLcode servercert(struct connectdata *conn,
     if (data->set.str[STRING_SSL_ISSUERCERT]) {
       if (! (fp=fopen(data->set.str[STRING_SSL_ISSUERCERT],"r"))) {
         if (strict)
-	  failf(data, "SSL: Unable to open issuer cert (%s)\n",
-		data->set.str[STRING_SSL_ISSUERCERT]);
-	X509_free(connssl->server_cert);
-	connssl->server_cert = NULL;
-	return CURLE_SSL_ISSUER_ERROR;
+          failf(data, "SSL: Unable to open issuer cert (%s)\n",
+                data->set.str[STRING_SSL_ISSUERCERT]);
+        X509_free(connssl->server_cert);
+        connssl->server_cert = NULL;
+        return CURLE_SSL_ISSUER_ERROR;
       }
       issuer = PEM_read_X509(fp,NULL,ZERO_NULL,NULL);
       if (!issuer) {
         if (strict)
-	  failf(data, "SSL: Unable to read issuer cert (%s)\n",
-		data->set.str[STRING_SSL_ISSUERCERT]);
-	X509_free(connssl->server_cert);
-	X509_free(issuer);
-	fclose(fp);
-	return CURLE_SSL_ISSUER_ERROR;
+          failf(data, "SSL: Unable to read issuer cert (%s)\n",
+                data->set.str[STRING_SSL_ISSUERCERT]);
+        X509_free(connssl->server_cert);
+        X509_free(issuer);
+        fclose(fp);
+        return CURLE_SSL_ISSUER_ERROR;
       }
       fclose(fp);
       if (X509_check_issued(issuer,connssl->server_cert) != X509_V_OK) {
         if (strict)
-	  failf(data, "SSL: Certificate issuer check failed (%s)\n",
-		data->set.str[STRING_SSL_ISSUERCERT]);
-	X509_free(connssl->server_cert);
-	X509_free(issuer);
-	connssl->server_cert = NULL;
+          failf(data, "SSL: Certificate issuer check failed (%s)\n",
+                data->set.str[STRING_SSL_ISSUERCERT]);
+        X509_free(connssl->server_cert);
+        X509_free(issuer);
+        connssl->server_cert = NULL;
         return CURLE_SSL_ISSUER_ERROR;
       }
       infof(data, "\t SSL certificate issuer check ok (%s)\n",
-	    data->set.str[STRING_SSL_ISSUERCERT]);
+            data->set.str[STRING_SSL_ISSUERCERT]);
       X509_free(issuer);
     }
 
@@ -1728,7 +1730,7 @@ static CURLcode servercert(struct connectdata *conn,
     if(data->set.ssl.certverifyresult != X509_V_OK) {
       if(data->set.ssl.verifypeer) {
         /* We probably never reach this, because SSL_connect() will fail
-           and we return earlyer if verifypeer is set? */
+           and we return earlier if verifypeer is set? */
         if(strict)
           failf(data, "SSL certificate verify result: %s (%ld)",
                 X509_verify_cert_error_string(lerr), lerr);