52 lines
2.2 KiB
Diff
52 lines
2.2 KiB
Diff
|
diff --git a/lib/vquic/quiche.c b/lib/vquic/quiche.c
|
||
|
index bfdc966a85ea..e4bea4d677be 100644
|
||
|
--- a/lib/vquic/quiche.c
|
||
|
+++ b/lib/vquic/quiche.c
|
||
|
@@ -201,23 +201,31 @@ static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data)
|
||
|
|
||
|
{
|
||
|
struct connectdata *conn = data->conn;
|
||
|
- const char * const ssl_cafile = conn->ssl_config.CAfile;
|
||
|
- const char * const ssl_capath = conn->ssl_config.CApath;
|
||
|
-
|
||
|
if(conn->ssl_config.verifypeer) {
|
||
|
- SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
|
||
|
- /* tell OpenSSL where to find CA certificates that are used to verify
|
||
|
- the server's certificate. */
|
||
|
- if(!SSL_CTX_load_verify_locations(ssl_ctx, ssl_cafile, ssl_capath)) {
|
||
|
- /* Fail if we insist on successfully verifying the server. */
|
||
|
- failf(data, "error setting certificate verify locations:"
|
||
|
- " CAfile: %s CApath: %s",
|
||
|
- ssl_cafile ? ssl_cafile : "none",
|
||
|
- ssl_capath ? ssl_capath : "none");
|
||
|
- return NULL;
|
||
|
+ const char * const ssl_cafile = conn->ssl_config.CAfile;
|
||
|
+ const char * const ssl_capath = conn->ssl_config.CApath;
|
||
|
+ if(ssl_cafile || ssl_capath) {
|
||
|
+ SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
|
||
|
+ /* tell OpenSSL where to find CA certificates that are used to verify
|
||
|
+ the server's certificate. */
|
||
|
+ if(!SSL_CTX_load_verify_locations(ssl_ctx, ssl_cafile, ssl_capath)) {
|
||
|
+ /* Fail if we insist on successfully verifying the server. */
|
||
|
+ failf(data, "error setting certificate verify locations:"
|
||
|
+ " CAfile: %s CApath: %s",
|
||
|
+ ssl_cafile ? ssl_cafile : "none",
|
||
|
+ ssl_capath ? ssl_capath : "none");
|
||
|
+ return NULL;
|
||
|
+ }
|
||
|
+ infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");
|
||
|
+ infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none");
|
||
|
}
|
||
|
- infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");
|
||
|
- infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none");
|
||
|
+#ifdef CURL_CA_FALLBACK
|
||
|
+ else {
|
||
|
+ /* verifying the peer without any CA certificates won't work so
|
||
|
+ use openssl's built-in default as fallback */
|
||
|
+ SSL_CTX_set_default_verify_paths(ssl_ctx);
|
||
|
+ }
|
||
|
+#endif
|
||
|
}
|
||
|
}
|
||
|
return ssl_ctx;
|