From: Jay Satiro <raysatiro@yahoo.com>
Date: Sat, 15 Feb 2025 18:32:34 +0000 (-0500)
Subject: curl_msh3: remove verify bypass from DEBUGBUILDs
X-Git-Tag: curl-8_13_0~468
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1d7c3ab5aae1e8dc31bc089649eabc47ef66b3a6;p=thirdparty%2Fcurl.git

curl_msh3: remove verify bypass from DEBUGBUILDs

- Remove the workaround that disabled peer verification in DEBUGBUILDs
  when CA certs were provided.

The workaround was part of a TODO that disabled verification in
DEBUGBUILDs with a CAfile/path because apparently there's no way to set
those options in msh3 and that caused some tests to fail. Instead the
tests should fail and this problem should not be covered up.

Ref: https://github.com/curl/curl/pull/16327#issuecomment-2661039423

Closes https://github.com/curl/curl/pull/16342
---

diff --git a/lib/vquic/curl_msh3.c b/lib/vquic/curl_msh3.c
index e0b5949cfd..c592b2ec2b 100644
--- a/lib/vquic/curl_msh3.c
+++ b/lib/vquic/curl_msh3.c
@@ -838,16 +838,10 @@ static CURLcode cf_connect_start(struct Curl_cfilter *cf,
   MSH3_SET_PORT(&addr, (uint16_t)cf->conn->remote_port);
 
   if(verify && (conn_config->CAfile || conn_config->CApath)) {
-    /* Need a way to provide trust anchors to MSH3 */
-#ifdef DEBUGBUILD
-    /* we need this for our test cases to run */
-    CURL_TRC_CF(data, cf, "non-standard CA not supported, "
-                "switching off verifypeer in DEBUG mode");
-    verify = 0;
-#else
+    /* Note there's currently no way to provide trust anchors to MSH3 and
+       that causes tests to fail. */
     CURL_TRC_CF(data, cf, "non-standard CA not supported, "
                 "attempting with built-in verification");
-#endif
   }
 
   CURL_TRC_CF(data, cf, "connecting to %s:%d (verify=%d)",