From 9af60d2d52d9635ba4498d3a42abd85c7c2140db Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Tue, 24 Mar 2015 13:25:17 +0100
Subject: [PATCH] use openssl's built in verify path as fallback

Trying to verify a peer without any having any root CA certificates
registered won't work. So use openssl's built in default as
fallback.

https://github.com/bagder/curl/pull/175
---
 lib/vtls/openssl.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 3f93e22..34abd64 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2012,6 +2012,10 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
           "none",
           data->set.str[STRING_SSL_CAPATH] ? data->set.str[STRING_SSL_CAPATH]:
           "none");
+  } else if (data->set.ssl.verifypeer) {
+          /* verfying the peer without any CA certificates won't
+             work so use openssl's built in default as fallback */
+          SSL_CTX_set_default_verify_paths(connssl->ctx);
   }
 
   if(data->set.str[STRING_SSL_CRLFILE]) {
-- 
2.3.3