From: Junio C Hamano <gitster@pobox.com>
Date: Thu, 21 Feb 2008 23:10:37 +0000 (-0800)
Subject: Don't verify host name in SSL certs when GIT_SSL_NO_VERIFY is set
X-Git-Tag: v1.6.0.3~82^2
X-Git-Url: https://git.tokkee.org/?a=commitdiff_plain;h=a5ccc5979d210500d00169f98cc8567ea346fcb0;p=git.git

Don't verify host name in SSL certs when GIT_SSL_NO_VERIFY is set

Originally from Mike Hommey; earlier we were disabling SSL_VERIFYPEER
but SSL_VERIFYHOST was in effect even when the user asked not to with
the environment variable.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
---

diff --git a/http.c b/http.c
index 1108ab4a3..a97fdf511 100644
--- a/http.c
+++ b/http.c
@@ -165,7 +165,16 @@ static CURL* get_curl_handle(void)
 {
 	CURL* result = curl_easy_init();
 
-	curl_easy_setopt(result, CURLOPT_SSL_VERIFYPEER, curl_ssl_verify);
+	if (!curl_ssl_verify) {
+		curl_easy_setopt(result, CURLOPT_SSL_VERIFYPEER, 0);
+		curl_easy_setopt(result, CURLOPT_SSL_VERIFYHOST, 0);
+	} else {
+		/* Verify authenticity of the peer's certificate */
+		curl_easy_setopt(result, CURLOPT_SSL_VERIFYPEER, 1);
+		/* The name in the cert must match whom we tried to connect */
+		curl_easy_setopt(result, CURLOPT_SSL_VERIFYHOST, 2);
+	}
+
 #if LIBCURL_VERSION_NUM >= 0x070907
 	curl_easy_setopt(result, CURLOPT_NETRC, CURL_NETRC_OPTIONAL);
 #endif