Change #275001
| Category | curl |
| Changed by | Graham Campbell <hello@gjcampbell.co.uk> |
| Changed at | Wed 15 Jul 2026 22:04:38 |
| Repository | https://github.com/curl/curl.git |
| Project | curl |
| Branch | master |
| Revision | b8c061c75187fe59dff7ab79022125daa94b5e23 |
Comments
ngtcp2: let verify failures win over expiry processing errors A flaky CI failure of `test_17_05_bad_ip_addr[h3]` (GnuTLS, event-based) had curl detect the certificate name mismatch yet exit with `CURLE_RECV_ERROR` (56) instead of `CURLE_PEER_FAILED_VERIFICATION` (60). `Curl_cf_ngtcp2_cmn_connect` calls `Curl_cf_ngtcp2_cmn_set_expiry` after its `ctx->tls_vrfy_result` override and returns the error unfiltered, so when the server's final handshake flight happens to be processed by the ingress inside set_expiry, the verify failure surfaces as a generic receive error. This PR makes set_expiry prefer `ctx->tls_vrfy_result` over generic progress errors, as the recv and send paths already do after calling it, and also covers the `cf-ngtcp2-proxy.c` call sites that lack the override. Completes #21712. Seen in https://github.com/curl/curl/actions/runs/29243256619/job/86794119412. Closes #22317
Changed files
- lib/vquic/cf-ngtcp2-cmn.c