| #
f7b97bf7 |
| 21-Apr-2024 |
Damjan Jovanovic |
Override OpenSSL's certificate verification with our own, instead of
using its verification and selectively overriding the result.
- A nonsense self-signed expired certificate is fed into Cur
Override OpenSSL's certificate verification with our own, instead of
using its verification and selectively overriding the result.
- A nonsense self-signed expired certificate is fed into Curl to get it
to initialize even when the certificates in its expected system path
are missing or elsewhere.
- In Curl's CURLOPT_SSL_CTX_FUNCTION, our Curl_SSLContextCallback, we
then completely override OpenSSL's verification process with ours,
using SSL_CTX_set_cert_verify_callback() (instead of the previous
SSL_CTX_set_verify() which just allows us to override OpenSSL's
verification result).
- The verification is largely the same as before, we just have to call
slightly different functions to retrieve the certificate to verify and
the untrusted chain.
- Create components using the component context, not the legacy multi
service factory.
- Various other cleanups, better logging, etc. were made in the process.
Patch by: me
show more ...
|
| #
88ba7bc9 |
| 06-Feb-2024 |
Damjan Jovanovic |
Allow our WebDAV content provider to connect when the TLS certificate name
doesn't match the server's host name.
Currently in such cases the connection always fails, and the user isn't e
Allow our WebDAV content provider to connect when the TLS certificate name
doesn't match the server's host name.
Currently in such cases the connection always fails, and the user isn't even
given a chance to allow it. This is because Curl does the server name
validation itself. However we already have code to validate server names,
and we prompt the user for what to do, unlike Curl which always fails.
Therefore disable Curl's verification and use ours.
Patch by: me
show more ...
|