TLS: make SSL_VERIFYSTATUS work again The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl and thus even if the status couldn't be verified, the connection would be allowed and the user would not be told about the failed verification. Regression since cb4e2be7c6d42ca CVE-2017-2629 Bug: https://curl.haxx.se/docs/adv_20170222.html Reported-by: Marcus Hoffmann

commit: ca6ea6d9be5102a2246dff6e17b3ee9ad4ec64d0 [log] [tgz]
author: Daniel Stenberg <daniel@haxx.se> Sun Jan 22 18:11:55 2017 +0100
committer: Daniel Stenberg <daniel@haxx.se> Tue Feb 21 08:33:18 2017 +0100
tree: 2e19cd1ea4d0b7b654629a0d14c04691f64de257
parent: af5fbb14bb4fd86cdc5bf2c9f1f2b3b5d8d2af66 [diff]
diff --git a/lib/url.c b/lib/url.c
index 2886abe..b8f7cfb 100644
--- a/lib/url.c
+++ b/lib/url.c

@@ -4173,8 +4173,11 @@
   conn->bits.ftp_use_epsv = data->set.ftp_use_epsv;
   conn->bits.ftp_use_eprt = data->set.ftp_use_eprt;
 
+  conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
   conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
   conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
+  conn->proxy_ssl_config.verifystatus =
+    data->set.proxy_ssl.primary.verifystatus;
   conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
   conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
commit	ca6ea6d9be5102a2246dff6e17b3ee9ad4ec64d0	[log] [tgz]
author	Daniel Stenberg <daniel@haxx.se>	Sun Jan 22 18:11:55 2017 +0100
committer	Daniel Stenberg <daniel@haxx.se>	Tue Feb 21 08:33:18 2017 +0100
tree	2e19cd1ea4d0b7b654629a0d14c04691f64de257
parent	af5fbb14bb4fd86cdc5bf2c9f1f2b3b5d8d2af66 [diff]