From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 29 Sep 2023 10:58:43 +0000 (+0200)
Subject: wolfssl: ignore errors in CA path
X-Git-Tag: curl-8_4_0~72
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=463528b0f874be22461de5398b7414feb43d0a76;p=thirdparty%2Fcurl.git

wolfssl: ignore errors in CA path

The default wolfSSL_CTX_load_verify_locations() function is quite picky
with the certificates it loads and will for example return error if just
one of the certs has expired.

With the *_ex() function and its WOLFSSL_LOAD_FLAG_IGNORE_ERR flag, it
behaves more similar to what OpenSSL does by default.

Even the set of default certs on my Debian unstable has several expired
ones.

Assisted-by: Juliusz Sosinowicz
Assisted-by: Michael Osipov

Closes #11987
---

diff --git a/lib/vquic/curl_ngtcp2.c b/lib/vquic/curl_ngtcp2.c
index 13fa954d2e..27711ef0cd 100644
--- a/lib/vquic/curl_ngtcp2.c
+++ b/lib/vquic/curl_ngtcp2.c
@@ -648,10 +648,13 @@ static CURLcode quic_ssl_ctx(WOLFSSL_CTX **pssl_ctx,
     const char * const ssl_capath = conn->ssl_config.CApath;
 
     wolfSSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
-    if(conn->ssl_config.CAfile || conn->ssl_config.CApath) {
+    if(ssl_cafile || ssl_capath) {
       /* tell wolfSSL where to find CA certificates that are used to verify
          the server's certificate. */
-      if(!wolfSSL_CTX_load_verify_locations(ssl_ctx, ssl_cafile, ssl_capath)) {
+      int rc =
+        wolfSSL_CTX_load_verify_locations_ex(ssl_ctx, ssl_cafile, ssl_capath,
+                                             WOLFSSL_LOAD_FLAG_IGNORE_ERR);
+      if(SSL_SUCCESS != rc) {
         /* Fail if we insist on successfully verifying the server. */
         failf(data, "error setting certificate verify locations:"
               "  CAfile: %s CApath: %s",
diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index d667a59eea..6b526164a1 100644
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -547,9 +547,12 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
 #ifndef NO_FILESYSTEM
   /* load trusted cacert from file if not blob */
   if(ssl_cafile || ssl_capath) {
-    if(1 != wolfSSL_CTX_load_verify_locations(backend->ctx,
-                                              ssl_cafile,
-                                              ssl_capath)) {
+    int rc =
+      wolfSSL_CTX_load_verify_locations_ex(backend->ctx,
+                                           ssl_cafile,
+                                           ssl_capath,
+                                           WOLFSSL_LOAD_FLAG_IGNORE_ERR);
+    if(SSL_SUCCESS != rc) {
       if(conn_config->verifypeer && !imported_ca_info_blob &&
          !imported_native_ca) {
         /* Fail if we insist on successfully verifying the server. */
@@ -1378,6 +1381,7 @@ const struct Curl_ssl Curl_ssl_wolfssl = {
 #ifdef USE_BIO_CHAIN
   SSLSUPP_HTTPS_PROXY |
 #endif
+  SSLSUPP_CA_PATH |
   SSLSUPP_CAINFO_BLOB |
   SSLSUPP_SSL_CTX,