bearssl: don't load CA certs when peer verification is disabled

We already do this for other SSL backends. Bug: https://github.com/curl/curl/pull/11457#issuecomment-1644587473 Reported-by: kyled-dell@users.noreply.github.com Closes https://github.com/curl/curl/pull/11497
2023-07-21 03:26:14 -04:00 · 2023-07-21 03:26:14 -04:00 · 691c32f6f5
commit 691c32f6f5
parent 392b73ac99
1 changed files with 15 additions and 21 deletions
--- a/lib/vtls/bearssl.c
+++ b/lib/vtls/bearssl.c
@ -624,38 +624,32 @@ static CURLcode bearssl_connect_step1(struct Curl_cfilter *cf,
    return CURLE_SSL_CONNECT_ERROR;
  }

-  if(ca_info_blob) {
-    struct cafile_source source;
-    source.type = CAFILE_SOURCE_BLOB;
-    source.data = ca_info_blob->data;
-    source.len = ca_info_blob->len;
+  if(verifypeer) {
+    if(ca_info_blob) {
+      struct cafile_source source;
+      source.type = CAFILE_SOURCE_BLOB;
+      source.data = ca_info_blob->data;
+      source.len = ca_info_blob->len;

-    ret = load_cafile(&source, &backend->anchors, &backend->anchors_len);
-    if(ret != CURLE_OK) {
-      if(verifypeer) {
+      ret = load_cafile(&source, &backend->anchors, &backend->anchors_len);
+      if(ret != CURLE_OK) {
        failf(data, "error importing CA certificate blob");
        return ret;
      }
-      /* Only warn if no certificate verification is required. */
-      infof(data, "error importing CA certificate blob, continuing anyway");
    }
-  }

-  if(ssl_cafile) {
-    struct cafile_source source;
-    source.type = CAFILE_SOURCE_PATH;
-    source.data = ssl_cafile;
-    source.len = 0;
+    if(ssl_cafile) {
+      struct cafile_source source;
+      source.type = CAFILE_SOURCE_PATH;
+      source.data = ssl_cafile;
+      source.len = 0;

-    ret = load_cafile(&source, &backend->anchors, &backend->anchors_len);
-    if(ret != CURLE_OK) {
-      if(verifypeer) {
+      ret = load_cafile(&source, &backend->anchors, &backend->anchors_len);
+      if(ret != CURLE_OK) {
        failf(data, "error setting certificate verify locations."
              " CAfile: %s", ssl_cafile);
        return ret;
      }
-      infof(data, "error setting certificate verify locations,"
-            " continuing anyway:");
    }
  }