Backward compatibility issue with CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST options.

[agaloyan]

Starting from "proxy: Support HTTPS proxy and SOCKS+HTTP(s)" (cb4e2be) change it is not possible anymore to change
CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST options values for the current connection.

Because SSL configuration options were moved to connectdata structure which is created at connecting phase, they are not affected by curl_easy_setopt function anymore for current connection.

The old behavior was very helpful in the following two use cases:

1. Interactive application after receiving an unknown (or Self-Signed) certificate shows it on the console and ask user to reject or accept it.
2. Non-interactive application implements some sort of Trust On First Use, for self-signed certificates. When such certificate received the verify callback checks local storage for known certificates. If there is no any previously saved certificate for the host then it saves the new received certificate and accepts connection. In further connections it will accept self-signed certificates for the same host only if it's public key matches previously stored certificates.

In both cases both options (CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST) set to TRUE before connection initialization.
During SSL negotation phase a verify callback (set by SSL_CTX_set_verify function) does all appropriate checks and if it decided to accept connection then it switches both CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to FALSE to allow curl/openssl establish connection.
This was perfectly working in curl 7.50.3 and older versions... But now curl_easy_setopt updates only Easy_curl structure but not connectdata which is used during current connection.

We are using libcurl and openssl 1.0.1/1.0.2 almost 4 years in our projects and this is first time when we stucked on update.

I suggest to update data->easy_conn->ssl_config fields in curl_easy_setopt functions along with data->set.ssl.primary, i.e.

in url.c: ~2137 for case CURLOPT_SSL_VERIFYPEER: after the following lines:

data->set.ssl.primary.verifypeer = (0 != va_arg(param, long)) ? TRUE : FALSE;

update the current connection appropriate SSL variables:

if (data->easy_conn) {
   data->easy_conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
}

... similar code need to be applied for CURLOPT_PROXY_SSL_VERIFYPEER, CURLOPT_SSL_VERIFYHOST and CURLOPT_PROXY_SSL_VERIFYHOST cases.

operating system

win32, lin32 and lin64.

[bagder]

Thank you for this detailed report.

I'm inclined to agree with you that this is a regression and not quite intended. I certainly did not consider this properly when I reviewed and accept that patch set.

Are you able and interested in providing a PR for this? Since you seem to have decent way to test/reproduce it and all.

[agaloyan]

Hi Daniel,
Sure, I'm glad to help, but my PR (#1951) got some problems which I do not understand.
Can you have a look please?

[bagder]

I see no problems? The CI builds/tests are still ongoing so they're yellow circles. They should end up green checkmarks when everything is fine, or red crosses if some builds fail. Let's monitor what happens and see what to do. The CI tests can take a few hours to complete.

[agaloyan]

I understand, but it seems that Travis CI build 6473.4 already failed, and no OSX builders were allocated for awhile.

[agaloyan]

Fixed code style issues...
can't assign reviewers...

[jay]

Fix landed in 5505df7.