cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: error with -k (--insecure)

From: Ralph Mitchell <rmitchell_at_eds.com>
Date: Thu, 30 Jan 2003 00:12:17 -0600

The attached patch (against 7.10.3) should do it, I think. Instead of checking
the insecure_ok flag if the crt file is not found, check for the crt files only
if insecure_ok is not set...

Or I may have totally missed the boat - I think this is about the second time
I've looked at curl's source... :)

Ralph Mitchell

Daniel Stenberg wrote:

> On Wed, 29 Jan 2003, Roth, Kevin P. wrote:
>
> > So, I tried using the -k option to turn off certificate checking. However,
> > because curl found a "curl-ca-bundle.crt" file in my path, it seemed to
> > ignore the -k option, and gave me error 35 back ("curl: (35) SSL:
> > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> > failed").
> >
> > Was this bug fixed in 7.10.3? If not, could someone please find the problem
> > and fix it? I'd imagine this would be pretty easy to correct...
>
> I just checked the source and this bug is still present in there.
>
> If no one else beats me to it, I hope to be able to provide a patch soonish.
>
> Thanks for an excellent report and analysis.
>
> --
> Daniel Stenberg -- curl, cURL, Curl, CURL. Groks URLs.

*** main.c Wed Jan 8 09:04:42 2003
--- main.c.new Thu Jan 30 00:03:30 2003
***************
*** 2809,2829 ****
        curl_easy_setopt(curl, CURLOPT_SSLKEYTYPE, config->key_type);
        curl_easy_setopt(curl, CURLOPT_SSLKEYPASSWD, config->key_passwd);

! if(config->cacert || config->capath) {
! if (config->cacert)
! curl_easy_setopt(curl, CURLOPT_CAINFO, config->cacert);
!
! if (config->capath)
! curl_easy_setopt(curl, CURLOPT_CAPATH, config->capath);
! curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, TRUE);
! curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2);
        }
        else {
! if(config->insecure_ok)
! /* new stuff needed for libcurl 7.10 */
! curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
!
! curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
        }

        if((config->conf&CONF_NOBODY) ||
--- 2809,2831 ----
        curl_easy_setopt(curl, CURLOPT_SSLKEYTYPE, config->key_type);
        curl_easy_setopt(curl, CURLOPT_SSLKEYPASSWD, config->key_passwd);

! if(config->insecure_ok)
! /* new stuff needed for libcurl 7.10 */
! curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
        }
        else {
! if(config->cacert || config->capath) {
! if (config->cacert)
! curl_easy_setopt(curl, CURLOPT_CAINFO, config->cacert);
!
! if (config->capath)
! curl_easy_setopt(curl, CURLOPT_CAPATH, config->capath);
! curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, TRUE);
! curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2);
! }
! else {
! curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
! }
        }

        if((config->conf&CONF_NOBODY) ||

-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
Received on 2003-01-30

This message: [ Message body ]
Next message: Roth, Kevin P.: "zlib & win32 (was: error with -k)"
Previous message: Daniel Stenberg: "Re: error with -k (--insecure) (PATCH)"
In reply to: Daniel Stenberg: "Re: error with -k (--insecure)"
Next in thread: Daniel Stenberg: "Re: error with -k (--insecure) (PATCH)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]