if (results->curl_result == CURLE_OK) {
credential_approve(&http_auth);
- if (proxy_auth.password)
- credential_approve(&proxy_auth);
+ credential_approve(&proxy_auth);
+ credential_approve(&cert_auth);
return HTTP_OK;
+ } else if (results->curl_result == CURLE_SSL_CERTPROBLEM) {
+ /*
+ * We can't tell from here whether it's a bad path, bad
+ * certificate, bad password, or something else wrong
+ * with the certificate. So we reject the credential to
+ * avoid caching or saving a bad password.
+ */
+ credential_reject(&cert_auth);
+ return HTTP_NOAUTH;
} else if (missing_target(results))
return HTTP_MISSING_TARGET;
else if (results->http_code == 401) {