moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity

nss: load CA certificates even with --insecure 

... because they may include an intermediate certificate for a client
certificate and the intermediate certificate needs to be presented to
the server, no matter if we verify the peer or not.

Reported-by: thraidh
Closes #851
This commit is contained in:
Kamil Dudka 2017-03-06 16:20:33 +01:00
parent 764ad34cad
commit d29e9de146
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
lib/vtls/nss.c
View File

@ -1770,9 +1770,12 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
if(SSL_HandshakeCallback(model, HandshakeCallback, conn) != SECSuccess)
goto error;
if(SSL_CONN_CONFIG(verifypeer)) {
{
const CURLcode rv = nss_load_ca_certificates(conn, sockindex);
if(rv) {
if((rv == CURLE_SSL_CACERT_BADFILE) && !SSL_CONN_CONFIG(verifypeer))
/* not a fatal error because we are not going to verify the peer */
infof(data, "warning: CA certificates failed to load\n");
else if(rv) {
result = rv;
goto error;
}