- new upstream release, dropped applied patches
- fix crash on doubly closed NSPR descriptor, patch contributed by Kevin
Baughman (#534176)
This commit is contained in:
Kamil Dudka
parent
c190b8bdbf
commit
9c2701cfed
|
|
@ -1,54 +0,0 @@
|
|||
diff -rup curl-7.19.6.orig/lib/nss.c curl-7.19.6/lib/nss.c
|
||||
--- curl-7.19.6.orig/lib/nss.c 2009-08-14 11:14:45.423733097 +0200
|
||||
+++ curl-7.19.6/lib/nss.c 2009-08-14 11:15:04.142733360 +0200
|
||||
@@ -615,16 +615,26 @@ static SECStatus BadCertHandler(void *ar
|
||||
issuer);
|
||||
break;
|
||||
case SSL_ERROR_BAD_CERT_DOMAIN:
|
||||
- if(conn->data->set.ssl.verifypeer)
|
||||
+ if(conn->data->set.ssl.verifyhost) {
|
||||
+ failf(conn->data, "common name '%s' does not match '%s'",
|
||||
+ subject, conn->host.dispname);
|
||||
success = SECFailure;
|
||||
- infof(conn->data, "common name: %s (does not match '%s')\n",
|
||||
- subject, conn->host.dispname);
|
||||
+ } else {
|
||||
+ infof(conn->data, "warning: common name '%s' does not match '%s'\n",
|
||||
+ subject, conn->host.dispname);
|
||||
+ }
|
||||
break;
|
||||
case SEC_ERROR_EXPIRED_CERTIFICATE:
|
||||
if(conn->data->set.ssl.verifypeer)
|
||||
success = SECFailure;
|
||||
infof(conn->data, "Remote Certificate has expired.\n");
|
||||
break;
|
||||
+ case SEC_ERROR_UNKNOWN_ISSUER:
|
||||
+ if(conn->data->set.ssl.verifypeer)
|
||||
+ success = SECFailure;
|
||||
+ infof(conn->data, "Peer's certificate issuer is not recognized: '%s'\n",
|
||||
+ issuer);
|
||||
+ break;
|
||||
default:
|
||||
if(conn->data->set.ssl.verifypeer)
|
||||
success = SECFailure;
|
||||
@@ -1067,6 +1077,9 @@ CURLcode Curl_nss_connect(struct connect
|
||||
}
|
||||
}
|
||||
|
||||
+ if(data->set.ssl.verifyhost == 1)
|
||||
+ infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n");
|
||||
+
|
||||
data->set.ssl.certverifyresult=0; /* not checked yet */
|
||||
if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn)
|
||||
!= SECSuccess) {
|
||||
@@ -1200,7 +1213,9 @@ CURLcode Curl_nss_connect(struct connect
|
||||
if(SSL_ForceHandshakeWithTimeout(connssl->handle,
|
||||
PR_SecondsToInterval(HANDSHAKE_TIMEOUT))
|
||||
!= SECSuccess) {
|
||||
- if(conn->data->set.ssl.certverifyresult!=0)
|
||||
+ if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
|
||||
+ curlerr = CURLE_PEER_FAILED_VERIFICATION;
|
||||
+ else if(conn->data->set.ssl.certverifyresult!=0)
|
||||
curlerr = CURLE_SSL_CACERT;
|
||||
goto error;
|
||||
}
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
diff --git a/lib/nss.c b/lib/nss.c
|
||||
index ea904af..addc165 100644
|
||||
--- a/lib/nss.c
|
||||
+++ b/lib/nss.c
|
||||
@@ -1222,6 +1222,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
|
||||
if(!connssl->handle)
|
||||
goto error;
|
||||
PR_Close(model); /* We don't need this any more */
|
||||
+ model = NULL;
|
||||
|
||||
/* This is the password associated with the cert that we're using */
|
||||
if (data->set.str[STRING_KEY_PASSWD]) {
|
||||
11
curl.spec
11
curl.spec
|
|
@ -1,11 +1,11 @@
|
|||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.19.6
|
||||
Version: 7.19.7
|
||||
Release: 1%{?dist}
|
||||
License: MIT
|
||||
Group: Applications/Internet
|
||||
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2
|
||||
Patch1: curl-7.19.6-verifyhost.patch
|
||||
Patch1: curl-7.19.7-modelfree.patch
|
||||
Patch101: curl-7.15.3-multilib.patch
|
||||
Patch102: curl-7.16.0-privlibs.patch
|
||||
Patch103: curl-7.19.4-debug.patch
|
||||
|
|
@ -66,7 +66,7 @@ done
|
|||
%build
|
||||
autoconf
|
||||
export CPPFLAGS="$(pkg-config --cflags nss) -DHAVE_PK11_CREATEGENERICOBJECT"
|
||||
%configure --without-ssl --with-nss=%{_prefix} --enable-ipv6 \
|
||||
%configure --without-ssl --with-nss --enable-ipv6 \
|
||||
--with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \
|
||||
--with-gssapi=%{_prefix}/kerberos --with-libidn \
|
||||
--enable-ldaps --disable-static --with-libssh2
|
||||
|
|
@ -148,6 +148,11 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%{_datadir}/aclocal/libcurl.m4
|
||||
|
||||
%changelog
|
||||
* Thu Nov 12 2009 Kamil Dudka <kdudka@redhat.com> 7.19.7-1
|
||||
- new upstream release, dropped applied patches
|
||||
- fix crash on doubly closed NSPR descriptor, patch contributed
|
||||
by Kevin Baughman (#534176)
|
||||
|
||||
* Fri Aug 14 2009 Kamil Dudka <kdudka@redhat.com> 7.19.6-1
|
||||
- new upstream release, dropped applied patches
|
||||
- changed NSS code to not ignore the value of ssl.verifyhost and produce more
|
||||
|
|
|
|||
Loading…
Reference in New Issue