wolfssl: ignore errors in CA path

The default wolfSSL_CTX_load_verify_locations() function is quite picky with the certificates it loads and will for example return error if just one of the certs has expired. With the *_ex() function and its WOLFSSL_LOAD_FLAG_IGNORE_ERR flag, it behaves more similar to what OpenSSL does by default. Even the set of default certs on my Debian unstable has several expired ones. Assisted-by: Juliusz Sosinowicz Assisted-by: Michael Osipov Closes #11987
2026-05-17 09:46:21 +03:00 · 2023-09-29 12:58:43 +02:00 · 2023-09-29 12:58:43 +02:00 · 463528b0f8
commit 463528b0f8
parent 5bbe732d20
2 changed files with 12 additions and 5 deletions
--- a/lib/vquic/curl_ngtcp2.c
+++ b/lib/vquic/curl_ngtcp2.c
@ -648,10 +648,13 @@ static CURLcode quic_ssl_ctx(WOLFSSL_CTX **pssl_ctx,
    const char * const ssl_capath = conn->ssl_config.CApath;

    wolfSSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
-    if(conn->ssl_config.CAfile || conn->ssl_config.CApath) {
+    if(ssl_cafile || ssl_capath) {
      /* tell wolfSSL where to find CA certificates that are used to verify
         the server's certificate. */
-      if(!wolfSSL_CTX_load_verify_locations(ssl_ctx, ssl_cafile, ssl_capath)) {
+      int rc =
+        wolfSSL_CTX_load_verify_locations_ex(ssl_ctx, ssl_cafile, ssl_capath,
+                                             WOLFSSL_LOAD_FLAG_IGNORE_ERR);
+      if(SSL_SUCCESS != rc) {
        /* Fail if we insist on successfully verifying the server. */
        failf(data, "error setting certificate verify locations:"
              "  CAfile: %s CApath: %s",
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@ -547,9 +547,12 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
 #ifndef NO_FILESYSTEM
  /* load trusted cacert from file if not blob */
  if(ssl_cafile || ssl_capath) {
-    if(1 != wolfSSL_CTX_load_verify_locations(backend->ctx,
-                                              ssl_cafile,
-                                              ssl_capath)) {
+    int rc =
+      wolfSSL_CTX_load_verify_locations_ex(backend->ctx,
+                                           ssl_cafile,
+                                           ssl_capath,
+                                           WOLFSSL_LOAD_FLAG_IGNORE_ERR);
+    if(SSL_SUCCESS != rc) {
      if(conn_config->verifypeer && !imported_ca_info_blob &&
         !imported_native_ca) {
        /* Fail if we insist on successfully verifying the server. */
@ -1378,6 +1381,7 @@ const struct Curl_ssl Curl_ssl_wolfssl = {
 #ifdef USE_BIO_CHAIN
  SSLSUPP_HTTPS_PROXY |
 #endif
+  SSLSUPP_CA_PATH |
  SSLSUPP_CAINFO_BLOB |
  SSLSUPP_SSL_CTX,