From ca6ea6d9be5102a2246dff6e17b3ee9ad4ec64d0 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 22 Jan 2017 18:11:55 +0100
Subject: TLS: make SSL_VERIFYSTATUS work again

The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
and thus even if the status couldn't be verified, the connection would
be allowed and the user would not be told about the failed verification.

Regression since cb4e2be7c6d42ca

CVE-2017-2629
Bug: https://curl.haxx.se/docs/adv_20170222.html

Reported-by: Marcus Hoffmann
---
 lib/url.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'lib/url.c')

diff --git a/lib/url.c b/lib/url.c
index 2886abec8..b8f7cfb9b 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -4173,8 +4173,11 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
   conn->bits.ftp_use_epsv = data->set.ftp_use_epsv;
   conn->bits.ftp_use_eprt = data->set.ftp_use_eprt;
 
+  conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
   conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
   conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
+  conn->proxy_ssl_config.verifystatus =
+    data->set.proxy_ssl.primary.verifystatus;
   conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
   conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
 
-- 
cgit v1.2.1