From: Daniel Stenberg Date: Sun, 22 Jan 2017 17:11:55 +0000 (+0100) Subject: TLS: make SSL_VERIFYSTATUS work again X-Git-Tag: curl-7_53_0~2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ca6ea6d9be5102a2246dff6e17b3ee9ad4ec64d0;p=curl TLS: make SSL_VERIFYSTATUS work again The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl and thus even if the status couldn't be verified, the connection would be allowed and the user would not be told about the failed verification. Regression since cb4e2be7c6d42ca CVE-2017-2629 Bug: https://curl.haxx.se/docs/adv_20170222.html Reported-by: Marcus Hoffmann --- diff --git a/lib/url.c b/lib/url.c index 2886abec8..b8f7cfb9b 100644 --- a/lib/url.c +++ b/lib/url.c @@ -4173,8 +4173,11 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) conn->bits.ftp_use_epsv = data->set.ftp_use_epsv; conn->bits.ftp_use_eprt = data->set.ftp_use_eprt; + conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; + conn->proxy_ssl_config.verifystatus = + data->set.proxy_ssl.primary.verifystatus; conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;