| 123456789101112131415161718192021222324252627282930313233 |
- From a00a42b4abe8363a46071bb3b43b1b7138f5259b Mon Sep 17 00:00:00 2001
- From: Daniel Stenberg <daniel@haxx.se>
- Date: Sun, 22 Jan 2017 18:11:55 +0100
- Subject: [PATCH] TLS: make SSL_VERIFYSTATUS work again
- The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
- and thus even if the status couldn't be verified, the connection would
- be allowed and the user would not be told about the failed verification.
- Regression since cb4e2be7c6d42ca
- CVE-2017-2629
- Bug: https://curl.haxx.se/docs/adv_20170222.html
- Reported-by: Marcus Hoffmann
- ---
- lib/url.c | 3 +++
- 1 file changed, 3 insertions(+)
- --- a/lib/url.c
- +++ b/lib/url.c
- @@ -4141,8 +4141,11 @@ static struct connectdata *allocate_conn
- conn->bits.ftp_use_epsv = data->set.ftp_use_epsv;
- conn->bits.ftp_use_eprt = data->set.ftp_use_eprt;
-
- + conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
- conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
- conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
- + conn->proxy_ssl_config.verifystatus =
- + data->set.proxy_ssl.primary.verifystatus;
- conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
- conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
-
|
