-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssl: if verifypeer is not requested, skip the CA loading #7892
Conversation
It was previously done mostly to show a match/non-match in the verbose output even when verification was not asked for. This change skips the loading of the CA certs unless verifypeer is set to save memory and CPU.
This commit is causing the problem in our application that uses libcurl. Please see the old comment for more details on this. IMO, we should revert this commit. |
I think a start would be to file an issue explaining the problem. |
Interesting (and glad) to see this has been re-added after my previous commit has been reverted. After my PR in #2290, I've added a note in https://github.com/pschlan/curl/blob/master/docs/libcurl/opts/CURLOPT_SSL_VERIFYPEER.3#L61-L68 to document the expensive loading of the ca file despite VERIFYPEER being disabled. Should we remove this note now? |
Oh nice catch @pschlan, yes we should. You wanna do it? |
This note became obsolete since PR curl#7892 (see also discussion in the PR comments).
.. and remove 'experimental' designation from CURLSSLOPT_NATIVE_CA. This commit restores the behavior of CURLSSLOPT_NATIVE_CA so that it does not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default locations. Instead the CA store can be used at the same time. --- This behavior was originally added over two years ago in abbc5d6 (curl#5585) but then 83393b1 (curl#7892) broke it two months ago, I assume inadvertently. The CURLSSLOPT_NATIVE_CA feature was marked experimental and likely rarely used. Ref: curl#5585 Ref: curl#7892 Ref: https://curl.se/mail/lib-2023-01/0019.html Closes #xxxx
.. and remove 'experimental' designation from CURLSSLOPT_NATIVE_CA. This commit restores the behavior of CURLSSLOPT_NATIVE_CA so that it does not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default locations. Instead the native Windows CA store can be used at the same time. --- This behavior was originally added over two years ago in abbc5d6 (#5585) but then 83393b1 (#7892) broke it over a year ago, I assume inadvertently. The CURLSSLOPT_NATIVE_CA feature was marked experimental and likely rarely used. Ref: #5585 Ref: #7892 Ref: https://curl.se/mail/lib-2023-01/0019.html Closes #10244
.. and remove 'experimental' designation from CURLSSLOPT_NATIVE_CA. This commit restores the behavior of CURLSSLOPT_NATIVE_CA so that it does not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default locations. Instead the native Windows CA store can be used at the same time. --- This behavior was originally added over two years ago in abbc5d6 (curl#5585) but then 83393b1 (curl#7892) broke it over a year ago, I assume inadvertently. The CURLSSLOPT_NATIVE_CA feature was marked experimental and likely rarely used. Ref: curl#5585 Ref: curl#7892 Ref: https://curl.se/mail/lib-2023-01/0019.html Closes curl#10244
It was previously done mostly to show a match/non-match in the verbose
output even when verification was not asked for. This change skips the
loading of the CA certs unless verifypeer is set to save memory and CPU.