diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2020-09-07 16:20:16 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2020-09-07 17:26:27 +0200 |
| commit | 6d946ad9feb7d5809f071e4da6125fed28a04be0 (patch) | |
| tree | 3e8bd367efd3b880263ad3e381f74f1ac688df77 | |
| parent | d63b3908dad8e0ab1a5dc1caca87447f33d1591d (diff) | |
| download | curl-6d946ad9feb7d5809f071e4da6125fed28a04be0.tar.gz | |
openssl: consider ALERT_CERTIFICATE_EXPIRED a failed verification
If the error reason from the lib is
SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED, libcurl will return
CURLE_PEER_FAILED_VERIFICATION and not CURLE_SSL_CONNECT_ERROR.
This unifies the libcurl return code and makes libressl run test 313
(CRL testing) fine.
Closes #5934
| -rw-r--r-- | lib/vtls/openssl.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 5d3da8234..0a5a37384 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3285,7 +3285,8 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) reason = ERR_GET_REASON(errdetail); if((lib == ERR_LIB_SSL) && - (reason == SSL_R_CERTIFICATE_VERIFY_FAILED)) { + ((reason == SSL_R_CERTIFICATE_VERIFY_FAILED) || + (reason == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED))) { result = CURLE_PEER_FAILED_VERIFICATION; lerr = SSL_get_verify_result(backend->handle); |