- Made the gnutls code path not even try to get the server cert if no peer

  verification is requested. Previously it would even return failure if gnutls
  failed to get the server cert even though no verification was asked for.

- Fix my Curl_timeleft() leftover mistake in the gnutls code

diff --git a/CHANGES b/CHANGES
index 1cdc0d7c0ba8b6a408e8530b3181c327420a8a6f..06639d25d0c1c270c7d3b1194ed85fecb12ba551 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,13 @@
                                   Changelog
 
 Daniel S (15 Feb 2008)
+- Made the gnutls code path not even try to get the server cert if no peer
+  verification is requested. Previously it would even return failure if gnutls
+  failed to get the server cert even though no verification was asked for.
+  Public server showing the problem: https://www.net222.caisse-epargne.fr
+
+- Fix my Curl_timeleft() leftover mistake in the gnutls code
+
 - Pooyan McSporran found and fixed a flaw where you first would do a normal
   http request and then you'd reuse the handle and replace the Accept: header,
   as then libcurl would send two Accept: headers!

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index f2784b7871de043b3a0b93f75c2087e12321293b..9f373eb0ff0c1faeb480dcba3dd4847a8eec6cbe 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -20,6 +20,8 @@ This release includes the following bugfixes:
  o GnuTLS-built libcurl failed when doing global cleanup and reinit
  o error message problem when unable to resolve a host on Windows
  o Accept: header replacing
+ o not verificating server certs with gnutls still failed if gnutls had problems
+   with the cert
 
 This release includes the following known bugs:
 

diff --git a/lib/gtls.c b/lib/gtls.c
index 01ea303bb4ba7347667323893d8235978ba82534..4152ded2627122d5ffd6412702c60e35da217bb4 100644 (file)
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -156,7 +156,7 @@ static CURLcode handshake(struct connectdata *conn,
     rc = gnutls_handshake(session);
 
     if((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED)) {
-      long timeout_ms = Curl_connecttimeleft(conn, NULL, duringconnect);
+      long timeout_ms = Curl_timeleft(conn, NULL, duringconnect);
 
       if(timeout_ms < 0) {
         /* a precaution, no need to continue if time already is up */
@@ -336,38 +336,42 @@ Curl_gtls_connect(struct connectdata *conn,
 
   chainp = gnutls_certificate_get_peers(session, &cert_list_size);
   if(!chainp) {
-    if(data->set.ssl.verifyhost) {
+    if(data->set.ssl.verifypeer) {
       failf(data, "failed to get server cert");
       return CURLE_PEER_FAILED_VERIFICATION;
     }
     infof(data, "\t common name: WARNING couldn't obtain\n");
   }
 
-  /* This function will try to verify the peer's certificate and return its
-     status (trusted, invalid etc.). The value of status should be one or more
-     of the gnutls_certificate_status_t enumerated elements bitwise or'd. To
-     avoid denial of service attacks some default upper limits regarding the
-     certificate key size and chain size are set. To override them use
-     gnutls_certificate_set_verify_limits(). */
+  if(data->set.ssl.verifypeer) {
+    /* This function will try to verify the peer's certificate and return its
+       status (trusted, invalid etc.). The value of status should be one or
+       more of the gnutls_certificate_status_t enumerated elements bitwise
+       or'd. To avoid denial of service attacks some default upper limits
+       regarding the certificate key size and chain size are set. To override
+       them use gnutls_certificate_set_verify_limits(). */
 
-  rc = gnutls_certificate_verify_peers2(session, &verify_status);
-  if(rc < 0) {
-    failf(data, "server cert verify failed: %d", rc);
-    return CURLE_SSL_CONNECT_ERROR;
-  }
+    rc = gnutls_certificate_verify_peers2(session, &verify_status);
+    if(rc < 0) {
+      failf(data, "server cert verify failed: %d", rc);
+      return CURLE_SSL_CONNECT_ERROR;
+    }
 
-  /* verify_status is a bitmask of gnutls_certificate_status bits */
-  if(verify_status & GNUTLS_CERT_INVALID) {
-    if(data->set.ssl.verifypeer) {
-      failf(data, "server certificate verification failed. CAfile: %s",
-            data->set.ssl.CAfile?data->set.ssl.CAfile:"none");
-      return CURLE_SSL_CACERT;
+    /* verify_status is a bitmask of gnutls_certificate_status bits */
+    if(verify_status & GNUTLS_CERT_INVALID) {
+      if(data->set.ssl.verifypeer) {
+        failf(data, "server certificate verification failed. CAfile: %s",
+              data->set.ssl.CAfile?data->set.ssl.CAfile:"none");
+        return CURLE_SSL_CACERT;
+      }
+      else
+        infof(data, "\t server certificate verification FAILED\n");
     }
     else
-      infof(data, "\t server certificate verification FAILED\n");
+      infof(data, "\t server certificate verification OK\n");
   }
   else
-      infof(data, "\t server certificate verification OK\n");
+    infof(data, "\t server certificate verification SKIPPED\n");
 
   /* initialize an X.509 certificate structure. */
   gnutls_x509_crt_init(&x509_cert);