diff -rup curl-7.19.6.orig/lib/nss.c curl-7.19.6/lib/nss.c --- curl-7.19.6.orig/lib/nss.c 2009-08-14 11:14:45.423733097 +0200 +++ curl-7.19.6/lib/nss.c 2009-08-14 11:15:04.142733360 +0200 @@ -615,16 +615,26 @@ static SECStatus BadCertHandler(void *ar issuer); break; case SSL_ERROR_BAD_CERT_DOMAIN: - if(conn->data->set.ssl.verifypeer) + if(conn->data->set.ssl.verifyhost) { + failf(conn->data, "common name '%s' does not match '%s'", + subject, conn->host.dispname); success = SECFailure; - infof(conn->data, "common name: %s (does not match '%s')\n", - subject, conn->host.dispname); + } else { + infof(conn->data, "warning: common name '%s' does not match '%s'\n", + subject, conn->host.dispname); + } break; case SEC_ERROR_EXPIRED_CERTIFICATE: if(conn->data->set.ssl.verifypeer) success = SECFailure; infof(conn->data, "Remote Certificate has expired.\n"); break; + case SEC_ERROR_UNKNOWN_ISSUER: + if(conn->data->set.ssl.verifypeer) + success = SECFailure; + infof(conn->data, "Peer's certificate issuer is not recognized: '%s'\n", + issuer); + break; default: if(conn->data->set.ssl.verifypeer) success = SECFailure; @@ -1067,6 +1077,9 @@ CURLcode Curl_nss_connect(struct connect } } + if(data->set.ssl.verifyhost == 1) + infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n"); + data->set.ssl.certverifyresult=0; /* not checked yet */ if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn) != SECSuccess) { @@ -1200,7 +1213,9 @@ CURLcode Curl_nss_connect(struct connect if(SSL_ForceHandshakeWithTimeout(connssl->handle, PR_SecondsToInterval(HANDSHAKE_TIMEOUT)) != SECSuccess) { - if(conn->data->set.ssl.certverifyresult!=0) + if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN) + curlerr = CURLE_PEER_FAILED_VERIFICATION; + else if(conn->data->set.ssl.certverifyresult!=0) curlerr = CURLE_SSL_CACERT; goto error; }