wolfssl: if CURLOPT_CAINFO_BLOB is set, ignore the CA files

author Daniel Stenberg <daniel@haxx.se>

Tue, 19 Sep 2023 08:53:44 +0000 (10:53 +0200)

committer Daniel Stenberg <daniel@haxx.se>

Tue, 19 Sep 2023 10:59:56 +0000 (12:59 +0200)
author Daniel Stenberg <daniel@haxx.se>
Tue, 19 Sep 2023 08:53:44 +0000 (10:53 +0200)
committer Daniel Stenberg <daniel@haxx.se>
Tue, 19 Sep 2023 10:59:56 +0000 (12:59 +0200)
diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c

index 5f157207428f6c1a443603511333787e27f8a836..3c2058c76337c29fe93dc6fbd152f46de9658e53 100644 (file)
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -541,37 +541,39 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
    }
  
  #ifndef NO_FILESYSTEM
-  /* load trusted cacert */
-  if(conn_config->CAfile) {
-    if(1 != wolfSSL_CTX_load_verify_locations(backend->ctx,
-                                              conn_config->CAfile,
-                                              conn_config->CApath)) {
-      if(conn_config->verifypeer && !imported_ca_info_blob &&
-         !imported_native_ca) {
-        /* Fail if we insist on successfully verifying the server. */
-        failf(data, "error setting certificate verify locations:"
-              " CAfile: %s CApath: %s",
-              conn_config->CAfile?
-              conn_config->CAfile: "none",
-              conn_config->CApath?
-              conn_config->CApath : "none");
-        return CURLE_SSL_CACERT_BADFILE;
+  else {
+  /* load trusted cacert from file if not blob */
+    if(conn_config->CAfile || conn_config->CApath) {
+      if(1 != wolfSSL_CTX_load_verify_locations(backend->ctx,
+                                                conn_config->CAfile,
+                                                conn_config->CApath)) {
+        if(conn_config->verifypeer && !imported_ca_info_blob &&
+           !imported_native_ca) {
+          /* Fail if we insist on successfully verifying the server. */
+          failf(data, "error setting certificate verify locations:"
+                " CAfile: %s CApath: %s",
+                conn_config->CAfile?
+                conn_config->CAfile: "none",
+                conn_config->CApath?
+                conn_config->CApath : "none");
+          return CURLE_SSL_CACERT_BADFILE;
+        }
+        else {
+          /* Just continue with a warning if no strict certificate
+             verification is required. */
+          infof(data, "error setting certificate verify locations,"
+                " continuing anyway:");
+        }
        }
        else {
-        /* Just continue with a warning if no strict certificate
-           verification is required. */
-        infof(data, "error setting certificate verify locations,"
-              " continuing anyway:");
+        /* Everything is fine. */
+        infof(data, "successfully set certificate verify locations:");
        }
+      infof(data, " CAfile: %s",
+            conn_config->CAfile ? conn_config->CAfile : "none");
+      infof(data, " CApath: %s",
+            conn_config->CApath ? conn_config->CApath : "none");
      }
-    else {
-      /* Everything is fine. */
-      infof(data, "successfully set certificate verify locations:");
-    }
-    infof(data, " CAfile: %s",
-          conn_config->CAfile ? conn_config->CAfile : "none");
-    infof(data, " CApath: %s",
-          conn_config->CApath ? conn_config->CApath : "none");
    }
  
    /* Load the client certificate, and private key */
author	Daniel Stenberg <daniel@haxx.se>
	Tue, 19 Sep 2023 08:53:44 +0000 (10:53 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Tue, 19 Sep 2023 10:59:56 +0000 (12:59 +0200)