]> git.ipfire.org Git - thirdparty/curl.git/commitdiff
projects / thirdparty / curl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d63b390)
openssl: consider ALERT_CERTIFICATE_EXPIRED a failed verification
authorDaniel Stenberg <daniel@haxx.se>
Mon, 7 Sep 2020 14:20:16 +0000 (16:20 +0200)
committerDaniel Stenberg <daniel@haxx.se>
Mon, 7 Sep 2020 15:26:27 +0000 (17:26 +0200)
If the error reason from the lib is
SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED, libcurl will return
CURLE_PEER_FAILED_VERIFICATION and not CURLE_SSL_CONNECT_ERROR.

This unifies the libcurl return code and makes libressl run test 313
(CRL testing) fine.

Closes #5934

lib/vtls/openssl.c patch | blob | blame | history

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 5d3da82341ab155c9c6010de4f10ab15c9701574..0a5a373842bab44d66ba96365e8af9eb11f74c9a 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3285,7 +3285,8 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
       reason = ERR_GET_REASON(errdetail);
 
       if((lib == ERR_LIB_SSL) &&
-         (reason == SSL_R_CERTIFICATE_VERIFY_FAILED)) {
+         ((reason == SSL_R_CERTIFICATE_VERIFY_FAILED) ||
+          (reason == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED))) {
         result = CURLE_PEER_FAILED_VERIFICATION;
 
         lerr = SSL_get_verify_result(backend->handle);
Mirror of https://github.com/curl/curl.git