diff options
| author | Kamil Dudka <kdudka@redhat.com> | 2017-03-06 16:20:33 +0100 |
|---|---|---|
| committer | Kamil Dudka <kdudka@redhat.com> | 2017-04-10 13:44:52 +0200 |
| commit | d29e9de146a5d56aea07fad43b0572b3a44fd3db (patch) | |
| tree | 8f75383a294398edbb3faf3db003cb8a6b200c2b | |
| parent | 764ad34cad3a097efb7fc4dd2f579e8d324c9be8 (diff) | |
| download | curl-d29e9de146a5d56aea07fad43b0572b3a44fd3db.tar.gz | |
nss: load CA certificates even with --insecure
... because they may include an intermediate certificate for a client
certificate and the intermediate certificate needs to be presented to
the server, no matter if we verify the peer or not.
Reported-by: thraidh
Closes #851
| -rw-r--r-- | lib/vtls/nss.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 0149d7e37..1d7047a3d 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1770,9 +1770,12 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) if(SSL_HandshakeCallback(model, HandshakeCallback, conn) != SECSuccess) goto error; - if(SSL_CONN_CONFIG(verifypeer)) { + { const CURLcode rv = nss_load_ca_certificates(conn, sockindex); - if(rv) { + if((rv == CURLE_SSL_CACERT_BADFILE) && !SSL_CONN_CONFIG(verifypeer)) + /* not a fatal error because we are not going to verify the peer */ + infof(data, "warning: CA certificates failed to load\n"); + else if(rv) { result = rv; goto error; } |