55 lines
2.1 KiB
Diff
55 lines
2.1 KiB
Diff
|
diff -rup curl-7.19.6.orig/lib/nss.c curl-7.19.6/lib/nss.c
|
||
|
--- curl-7.19.6.orig/lib/nss.c 2009-08-14 11:14:45.423733097 +0200
|
||
|
+++ curl-7.19.6/lib/nss.c 2009-08-14 11:15:04.142733360 +0200
|
||
|
@@ -615,16 +615,26 @@ static SECStatus BadCertHandler(void *ar
|
||
|
issuer);
|
||
|
break;
|
||
|
case SSL_ERROR_BAD_CERT_DOMAIN:
|
||
|
- if(conn->data->set.ssl.verifypeer)
|
||
|
+ if(conn->data->set.ssl.verifyhost) {
|
||
|
+ failf(conn->data, "common name '%s' does not match '%s'",
|
||
|
+ subject, conn->host.dispname);
|
||
|
success = SECFailure;
|
||
|
- infof(conn->data, "common name: %s (does not match '%s')\n",
|
||
|
- subject, conn->host.dispname);
|
||
|
+ } else {
|
||
|
+ infof(conn->data, "warning: common name '%s' does not match '%s'\n",
|
||
|
+ subject, conn->host.dispname);
|
||
|
+ }
|
||
|
break;
|
||
|
case SEC_ERROR_EXPIRED_CERTIFICATE:
|
||
|
if(conn->data->set.ssl.verifypeer)
|
||
|
success = SECFailure;
|
||
|
infof(conn->data, "Remote Certificate has expired.\n");
|
||
|
break;
|
||
|
+ case SEC_ERROR_UNKNOWN_ISSUER:
|
||
|
+ if(conn->data->set.ssl.verifypeer)
|
||
|
+ success = SECFailure;
|
||
|
+ infof(conn->data, "Peer's certificate issuer is not recognized: '%s'\n",
|
||
|
+ issuer);
|
||
|
+ break;
|
||
|
default:
|
||
|
if(conn->data->set.ssl.verifypeer)
|
||
|
success = SECFailure;
|
||
|
@@ -1067,6 +1077,9 @@ CURLcode Curl_nss_connect(struct connect
|
||
|
}
|
||
|
}
|
||
|
|
||
|
+ if(data->set.ssl.verifyhost == 1)
|
||
|
+ infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n");
|
||
|
+
|
||
|
data->set.ssl.certverifyresult=0; /* not checked yet */
|
||
|
if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn)
|
||
|
!= SECSuccess) {
|
||
|
@@ -1200,7 +1213,9 @@ CURLcode Curl_nss_connect(struct connect
|
||
|
if(SSL_ForceHandshakeWithTimeout(connssl->handle,
|
||
|
PR_SecondsToInterval(HANDSHAKE_TIMEOUT))
|
||
|
!= SECSuccess) {
|
||
|
- if(conn->data->set.ssl.certverifyresult!=0)
|
||
|
+ if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
|
||
|
+ curlerr = CURLE_PEER_FAILED_VERIFICATION;
|
||
|
+ else if(conn->data->set.ssl.certverifyresult!=0)
|
||
|
curlerr = CURLE_SSL_CACERT;
|
||
|
goto error;
|
||
|
}
|