mirror of
https://github.com/moparisthebest/curl
synced 2024-12-23 00:28:48 -05:00
openssl: Don't add verify locations when verifypeer==0
When peer verification is disabled, calling SSL_CTX_load_verify_locations is not necessary. Only call it when verification is enabled to save resources and increase performance. Closes #2290
This commit is contained in:
parent
05484d4831
commit
dc85437736
@ -2338,10 +2338,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||
#endif
|
||||
|
||||
if(ssl_cafile || ssl_capath) {
|
||||
if(verifypeer) {
|
||||
/* tell SSL where to find CA certificates that are used to verify
|
||||
the servers certificate. */
|
||||
if(!SSL_CTX_load_verify_locations(BACKEND->ctx, ssl_cafile, ssl_capath)) {
|
||||
if(verifypeer) {
|
||||
if(!SSL_CTX_load_verify_locations(BACKEND->ctx,
|
||||
ssl_cafile, ssl_capath)) {
|
||||
/* Fail if we insist on successfully verifying the server. */
|
||||
failf(data, "error setting certificate verify locations:\n"
|
||||
" CAfile: %s\n CApath: %s",
|
||||
@ -2349,21 +2350,19 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||
ssl_capath ? ssl_capath : "none");
|
||||
return CURLE_SSL_CACERT_BADFILE;
|
||||
}
|
||||
/* Just continue with a warning if no strict certificate verification
|
||||
is required. */
|
||||
infof(data, "error setting certificate verify locations,"
|
||||
" continuing anyway:\n");
|
||||
}
|
||||
else {
|
||||
/* Everything is fine. */
|
||||
infof(data, "successfully set certificate verify locations:\n");
|
||||
}
|
||||
infof(data,
|
||||
" CAfile: %s\n"
|
||||
" CApath: %s\n",
|
||||
infof(data, "successfully set certificate verify locations:\n"
|
||||
" CAfile: %s\n CApath: %s\n",
|
||||
ssl_cafile ? ssl_cafile : "none",
|
||||
ssl_capath ? ssl_capath : "none");
|
||||
}
|
||||
}
|
||||
else {
|
||||
infof(data, "ignoring certificate verify locations due to "
|
||||
"disabled peer verification\n");
|
||||
}
|
||||
}
|
||||
#ifdef CURL_CA_FALLBACK
|
||||
else if(verifypeer) {
|
||||
/* verfying the peer without any CA certificates won't
|
||||
|
Loading…
Reference in New Issue
Block a user