moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2025-01-10 13:38:04 -05:00
Code Issues Releases Wiki Activity

openssl: Don't add verify locations when verifypeer==0

Browse Source 
When peer verification is disabled, calling
SSL_CTX_load_verify_locations is not necessary. Only call it when
verification is enabled to save resources and increase performance.

Closes #2290
This commit is contained in:
Patrick Schlangen 2018-02-05 17:17:15 +01:00 committed by Daniel Stenberg
parent 05484d4831
commit dc85437736
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 14 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
lib/vtls/openssl.c
View File

@ -2338,10 +2338,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
#endif #endif
if(ssl_cafile || ssl_capath) { if(ssl_cafile || ssl_capath) {
if(verifypeer) {
/* tell SSL where to find CA certificates that are used to verify /* tell SSL where to find CA certificates that are used to verify
the servers certificate. */ the servers certificate. */
if(!SSL_CTX_load_verify_locations(BACKEND->ctx, ssl_cafile, ssl_capath)) { if(!SSL_CTX_load_verify_locations(BACKEND->ctx,
if(verifypeer) { ssl_cafile, ssl_capath)) {
/* Fail if we insist on successfully verifying the server. */ /* Fail if we insist on successfully verifying the server. */
failf(data, "error setting certificate verify locations:\n" failf(data, "error setting certificate verify locations:\n"
" CAfile: %s\n CApath: %s", " CAfile: %s\n CApath: %s",
@ -2349,21 +2350,19 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
ssl_capath ? ssl_capath : "none"); ssl_capath ? ssl_capath : "none");
return CURLE_SSL_CACERT_BADFILE; return CURLE_SSL_CACERT_BADFILE;
} }
/* Just continue with a warning if no strict certificate verification
is required. */
infof(data, "error setting certificate verify locations,"
" continuing anyway:\n");
}
else { else {
/* Everything is fine. */ /* Everything is fine. */
infof(data, "successfully set certificate verify locations:\n"); infof(data, "successfully set certificate verify locations:\n"
} " CAfile: %s\n CApath: %s\n",
infof(data,
" CAfile: %s\n"
" CApath: %s\n",
ssl_cafile ? ssl_cafile : "none", ssl_cafile ? ssl_cafile : "none",
ssl_capath ? ssl_capath : "none"); ssl_capath ? ssl_capath : "none");
} }
}
else {
infof(data, "ignoring certificate verify locations due to "
"disabled peer verification\n");
}
}
#ifdef CURL_CA_FALLBACK #ifdef CURL_CA_FALLBACK
else if(verifypeer) { else if(verifypeer) {
/* verfying the peer without any CA certificates won't /* verfying the peer without any CA certificates won't