diff options
| author | Patrick Schlangen <patrick@schlangen.me> | 2018-02-05 17:17:15 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2018-02-06 10:48:03 +0100 |
| commit | dc85437736e1fc90e689bb1f6c51c8f1aa9430eb (patch) | |
| tree | a6c372562caab12ba4f830c222b34ffea565b75c | |
| parent | 05484d48311b47c1fcc9a360266f53723ddf7300 (diff) | |
| download | curl-dc85437736e1fc90e689bb1f6c51c8f1aa9430eb.tar.gz | |
openssl: Don't add verify locations when verifypeer==0
When peer verification is disabled, calling
SSL_CTX_load_verify_locations is not necessary. Only call it when
verification is enabled to save resources and increase performance.
Closes #2290
| -rw-r--r-- | lib/vtls/openssl.c | 31 |
1 files changed, 15 insertions, 16 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 0d7baca8b..2a6b3cfac 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2338,10 +2338,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) #endif if(ssl_cafile || ssl_capath) { - /* tell SSL where to find CA certificates that are used to verify - the servers certificate. */ - if(!SSL_CTX_load_verify_locations(BACKEND->ctx, ssl_cafile, ssl_capath)) { - if(verifypeer) { + if(verifypeer) { + /* tell SSL where to find CA certificates that are used to verify + the servers certificate. */ + if(!SSL_CTX_load_verify_locations(BACKEND->ctx, + ssl_cafile, ssl_capath)) { /* Fail if we insist on successfully verifying the server. */ failf(data, "error setting certificate verify locations:\n" " CAfile: %s\n CApath: %s", @@ -2349,20 +2350,18 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) ssl_capath ? ssl_capath : "none"); return CURLE_SSL_CACERT_BADFILE; } - /* Just continue with a warning if no strict certificate verification - is required. */ - infof(data, "error setting certificate verify locations," - " continuing anyway:\n"); + else { + /* Everything is fine. */ + infof(data, "successfully set certificate verify locations:\n" + " CAfile: %s\n CApath: %s\n", + ssl_cafile ? ssl_cafile : "none", + ssl_capath ? ssl_capath : "none"); + } } else { - /* Everything is fine. */ - infof(data, "successfully set certificate verify locations:\n"); - } - infof(data, - " CAfile: %s\n" - " CApath: %s\n", - ssl_cafile ? ssl_cafile : "none", - ssl_capath ? ssl_capath : "none"); + infof(data, "ignoring certificate verify locations due to " + "disabled peer verification\n"); + } } #ifdef CURL_CA_FALLBACK else if(verifypeer) { |