#
f7b97bf7 |
| 21-Apr-2024 |
Damjan Jovanovic |
Override OpenSSL's certificate verification with our own, instead of using its verification and selectively overriding the result. - A nonsense self-signed expired certificate is fed into Cur
Override OpenSSL's certificate verification with our own, instead of using its verification and selectively overriding the result. - A nonsense self-signed expired certificate is fed into Curl to get it to initialize even when the certificates in its expected system path are missing or elsewhere. - In Curl's CURLOPT_SSL_CTX_FUNCTION, our Curl_SSLContextCallback, we then completely override OpenSSL's verification process with ours, using SSL_CTX_set_cert_verify_callback() (instead of the previous SSL_CTX_set_verify() which just allows us to override OpenSSL's verification result). - The verification is largely the same as before, we just have to call slightly different functions to retrieve the certificate to verify and the untrusted chain. - Create components using the component context, not the legacy multi service factory. - Various other cleanups, better logging, etc. were made in the process. Patch by: me
show more ...
|
#
88ba7bc9 |
| 06-Feb-2024 |
Damjan Jovanovic |
Allow our WebDAV content provider to connect when the TLS certificate name doesn't match the server's host name. Currently in such cases the connection always fails, and the user isn't e
Allow our WebDAV content provider to connect when the TLS certificate name doesn't match the server's host name. Currently in such cases the connection always fails, and the user isn't even given a chance to allow it. This is because Curl does the server name validation itself. However we already have code to validate server names, and we prompt the user for what to do, unlike Curl which always fails. Therefore disable Curl's verification and use ours. Patch by: me
show more ...
|