Subject: Don't verify host name in SSL certs when GIT_SSL_NO_VERIFY is set Date: Thu, 21 Feb 2008 15:10:37 -0800 Signed-off-by: Junio C Hamano <gitster@xxxxxxxxx> --- Mike Hommey <mh@xxxxxxxxxxxx> writes: > While rebasing old branches on master, I saw that I still had this > patch[1] ahead, to which you replied with [2]. I might be guilty of not > replying back then, but I think your version should be applied. > > 1. http://marc.info/?l=git&m=120362183916288&w=2 > 2. http://marc.info/?l=git&m=120363548506950&w=2 Thanks. Just to make sure we are on the same page and to give other people comment on and potentially offer better solution, this is the patch in question. Next time around, please forward/resend "old patches that should not have been forgotten" in the way I am doing here. diff --git a/http.c b/http.c index 5925d07..8dce820 100644 --- a/http.c +++ b/http.c @@ -176,7 +176,16 @@ static CURL* get_curl_handle(void) { CURL* result = curl_easy_init(); - curl_easy_setopt(result, CURLOPT_SSL_VERIFYPEER, curl_ssl_verify); + if (!curl_ssl_verify) { + curl_easy_setopt(result, CURLOPT_SSL_VERIFYPEER, 0); + curl_easy_setopt(result, CURLOPT_SSL_VERIFYHOST, 0); + } else { + /* Verify authenticity of the peer's certificate */ + curl_easy_setopt(result, CURLOPT_SSL_VERIFYPEER, 1); + /* The name in the cert must match whom we tried to connect */ + curl_easy_setopt(result, CURLOPT_SSL_VERIFYHOST, 2); + } + #if LIBCURL_VERSION_NUM >= 0x070907 curl_easy_setopt(result, CURLOPT_NETRC, CURL_NETRC_OPTIONAL); #endif -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
