Also set CURLOPT_SSL_VERIFYHOST=0 when "verify-https-binary-caches" is false

This makes that option even more insecure, by also not checking the SSL host. But without this parameter, one can still get SSL errors even when "verify-https-binary-caches" is false, which is unexpected IMO.
author: Utku Demir <utdemir@gmail.com> 2015-09-25T19·34+0300
committer: Utku Demir <utdemir@gmail.com> 2015-09-25T19·34+0300
commit: a49514a2e2325a7926c90e2dab1f504d7aa78255 (patch)
tree: a1a39828893346ba3b85be7d7b414c3b749bd2f8 /scripts
parent: aaf8a1c16bb8de4045d8aae4fea8ac8a1bef2c34 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in
index bb63eafca522..ea053bf14da4 100644
--- a/scripts/download-from-binary-cache.pl.in
+++ b/scripts/download-from-binary-cache.pl.in
@@ -80,7 +80,12 @@ sub addRequest {
     $curl->setopt(CURLOPT_WRITEDATA, $fh);
     $curl->setopt(CURLOPT_FOLLOWLOCATION, 1);
     $curl->setopt(CURLOPT_CAINFO, $caBundle) if defined $caBundle;
-    $curl->setopt(CURLOPT_SSL_VERIFYPEER, 0) unless isTrue($Nix::Config::config{"verify-https-binary-caches"} // "1");
+
+    unless (isTrue($Nix::Config::config{"verify-https-binary-caches"} // "1")) {
+        $curl->setopt(CURLOPT_SSL_VERIFYPEER, 0);
+        $curl->setopt(CURLOPT_SSL_VERIFYHOST, 0);
+    }
+
     $curl->setopt(CURLOPT_USERAGENT, $userAgent);
     $curl->setopt(CURLOPT_NOBODY, 1) if $head;
     $curl->setopt(CURLOPT_FAILONERROR, 1);
author	Utku Demir <utdemir@gmail.com>	2015-09-25T19·34+0300
committer	Utku Demir <utdemir@gmail.com>	2015-09-25T19·34+0300
commit	a49514a2e2325a7926c90e2dab1f504d7aa78255 (patch)
tree	a1a39828893346ba3b85be7d7b414c3b749bd2f8 /scripts
parent	aaf8a1c16bb8de4045d8aae4fea8ac8a1bef2c34 (diff)