On Tue, 23 Oct 2018, Basuke Suzuki via curl-library wrote:
We need to distinguish these four cases from CURLE_PEER_FAILED_VERIFICATION.
So we want to fix this by extending the api. There are three options we can
take and want to hear your opinion.
...
4) Use CURLINFO_SSL_VERIFYRESULT.
Because OpenSSL returns no validation error, the field for this verify
result is available in the situation. When verifyhost() fails, return code
is unchanged from CURLE_PEER_FAILED_VERIFICATION and put newly defined error
code into data->set.ssl. certverifyresult which is available by
curl_easy_getinfo with CURLINFO_SSL_VERIFYRESULT. This doesn't break
existing application.
We are ready to send a PR for solution 4, but before sending this, we want
to hear the voice of community.
This is the approach I personally prefer. Just make sure you document the
specific error codes and for what situations they are used, as detailed as
possible. This is the sort of thing that people soon might want for other SSL
backends as well and then we need detailed explanations to know how to
implement and use them there as well...
--
/ daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
