luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

openssl: if verifypeer is not requested, skip the CA loading

Browse Source 
It was previously done mostly to show a match/non-match in the verbose
output even when verification was not asked for. This change skips the
loading of the CA certs unless verifypeer is set to save memory and CPU.

Closes #7892
This commit is contained in:
Daniel Stenberg 2021-10-22 12:34:34 +02:00
parent 0c2d3118aa
commit 83393b1a36
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 20 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
lib/vtls/openssl.c
View File

@ -3066,60 +3066,36 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
} }
} }
if(verifypeer && !imported_native_ca && (ssl_cafile || ssl_capath)) {
#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
/* OpenSSL 3.0.0 has deprecated SSL_CTX_load_verify_locations */ /* OpenSSL 3.0.0 has deprecated SSL_CTX_load_verify_locations */
{ if(ssl_cafile &&
if(ssl_cafile) { !SSL_CTX_load_verify_file(backend->ctx, ssl_cafile)) {
if(!SSL_CTX_load_verify_file(backend->ctx, ssl_cafile)) { /* Fail if we insist on successfully verifying the server. */
if(verifypeer && !imported_native_ca) { failf(data, "error setting certificate file: %s", ssl_cafile);
/* Fail if we insist on successfully verifying the server. */ return CURLE_SSL_CACERT_BADFILE;
failf(data, "error setting certificate file: %s", ssl_cafile);
return CURLE_SSL_CACERT_BADFILE;
}
/* Continue with warning if certificate verification isn't required. */
infof(data, "error setting certificate file, continuing anyway");
}
infof(data, " CAfile: %s", ssl_cafile);
} }
if(ssl_capath) { if(ssl_capath &&
if(!SSL_CTX_load_verify_dir(backend->ctx, ssl_capath)) { !SSL_CTX_load_verify_dir(backend->ctx, ssl_capath)) {
if(verifypeer && !imported_native_ca) { /* Fail if we insist on successfully verifying the server. */
/* Fail if we insist on successfully verifying the server. */ failf(data, "error setting certificate path: %s", ssl_capath);
failf(data, "error setting certificate path: %s", ssl_capath); return CURLE_SSL_CACERT_BADFILE;
return CURLE_SSL_CACERT_BADFILE;
}
/* Continue with warning if certificate verification isn't required. */
infof(data, "error setting certificate path, continuing anyway");
}
infof(data, " CApath: %s", ssl_capath);
} }
}
#else #else
if(ssl_cafile || ssl_capath) { /* tell OpenSSL where to find CA certificates that are used to verify the
/* tell SSL where to find CA certificates that are used to verify server's certificate. */
the server's certificate. */
if(!SSL_CTX_load_verify_locations(backend->ctx, ssl_cafile, ssl_capath)) { if(!SSL_CTX_load_verify_locations(backend->ctx, ssl_cafile, ssl_capath)) {
if(verifypeer && !imported_native_ca) { /* Fail if we insist on successfully verifying the server. */
/* Fail if we insist on successfully verifying the server. */ failf(data, "error setting certificate verify locations:"
failf(data, "error setting certificate verify locations:" " CAfile: %s CApath: %s",
" CAfile: %s CApath: %s", ssl_cafile ? ssl_cafile : "none",
ssl_cafile ? ssl_cafile : "none", ssl_capath ? ssl_capath : "none");
ssl_capath ? ssl_capath : "none"); return CURLE_SSL_CACERT_BADFILE;
return CURLE_SSL_CACERT_BADFILE;
}
/* Just continue with a warning if no strict certificate verification
is required. */
infof(data, "error setting certificate verify locations,"
" continuing anyway:");
}
else {
/* Everything is fine. */
infof(data, "successfully set certificate verify locations:");
} }
#endif
infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none"); infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");
infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none"); infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none");
} }
#endif
#ifdef CURL_CA_FALLBACK #ifdef CURL_CA_FALLBACK
if(verifypeer && if(verifypeer &&