| #
f7b97bf7 |
| 21-Apr-2024 |
Damjan Jovanovic |
Override OpenSSL's certificate verification with our own, instead of
using its verification and selectively overriding the result.
- A nonsense self-signed expired certificate is fed into Cur
Override OpenSSL's certificate verification with our own, instead of
using its verification and selectively overriding the result.
- A nonsense self-signed expired certificate is fed into Curl to get it
to initialize even when the certificates in its expected system path
are missing or elsewhere.
- In Curl's CURLOPT_SSL_CTX_FUNCTION, our Curl_SSLContextCallback, we
then completely override OpenSSL's verification process with ours,
using SSL_CTX_set_cert_verify_callback() (instead of the previous
SSL_CTX_set_verify() which just allows us to override OpenSSL's
verification result).
- The verification is largely the same as before, we just have to call
slightly different functions to retrieve the certificate to verify and
the untrusted chain.
- Create components using the component context, not the legacy multi
service factory.
- Various other cleanups, better logging, etc. were made in the process.
Patch by: me
show more ...
|