aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2002-08-30 11:09:49 +0000
committerDaniel Stenberg <daniel@haxx.se>2002-08-30 11:09:49 +0000
commit0e0caf7c063c282fb35b8ab87fde1d38fe32d489 (patch)
tree6acc7ac64ff0f0b1dd98cee86bbd2709909317c4
parent5644f4a2957378fb480369d2f1c9d5ccc4ebac6f (diff)
CURLE_SSL_INSECURE is removed again and so is CURLOPT_SSL_INSECURE, we
proceed fine with the already existing options, just having a different internal library default for capath.
-rw-r--r--CHANGES19
-rw-r--r--configure.in2
-rw-r--r--include/curl/curl.h11
-rw-r--r--lib/Makefile.am1
-rw-r--r--lib/ssluse.c6
-rw-r--r--lib/url.c31
-rw-r--r--lib/urldata.h2
-rw-r--r--src/main.c41
8 files changed, 51 insertions, 62 deletions
diff --git a/CHANGES b/CHANGES
index 466c35b40..51dec77fd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,15 +6,24 @@
Changelog
+Daniel (30 Aug 2002)
+- Applied an anonymous SOCKS5-proxy patch. Not properly working in all
+ situations though, as all getaddrinfo()-using libcurls will fail on this.
+
+- Fixed up the SSL cert fixes from the other day even more after more inputs
+ from Cris. Added three new error codes to make the CURLE_SSL_CONNECT_ERROR
+ slightly less overloaded.
+
Daniel (27 Aug 2002)
- After lots of talk with Tom Zerucha, Nick Gimbrone and Cris Bailiff I
- decided to talk the bold path and I now introduced the CURLOPT_SSL_INSECURE
- option that needs to be set to TRUE to allow libcurl to connect to SSL sites
- without using a CA certificate to verify it with.
+ decided to talk the bold path and I now made libcurl do CA certificate
+ verification by default. Thus library users need to explicitly turn this off
+ if you want to connect to sites without proper checking. We also install a
+ CA cert bundle on 'make install' now.
- The curl tool similarly requires the -k/--insecure optin in order to allow
+ The curl tool now requires the -k/--insecure option in order to allow
connections and operations on SSL sites that aren't properly verified with
- -cafile or --capath
+ -cafile or --capath.
Daniel (26 Aug 2002)
- Andrew Francis cleaned up some code that now compiles fine without the need
diff --git a/configure.in b/configure.in
index c7f51b672..ba45c060c 100644
--- a/configure.in
+++ b/configure.in
@@ -710,7 +710,7 @@ if test "x$ca" = "xno"; then
dnl let's not keep "no" as path name, blank it instead
ca=""
else
- AC_DEFINE_UNQUOTED(CURL_CA_BUNDLE, $ca, [CA bundle full path name])
+ AC_DEFINE_UNQUOTED(CURL_CA_BUNDLE, "$ca", [CA bundle full path name])
fi
CURL_CA_BUNDLE="$ca"
diff --git a/include/curl/curl.h b/include/curl/curl.h
index 00a7fa88a..1b20a674e 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -197,8 +197,10 @@ typedef enum {
CURLE_SEND_ERROR, /* 55 - failed sending network data */
CURLE_RECV_ERROR, /* 56 - failure in receiving network data */
CURLE_SHARE_IN_USE, /* 57 - share is in use */
- CURLE_SSL_INSECURE, /* 58 - connect attempt without certificate
- but SSL_INSECURE not explicitly allowed */
+ CURLE_SSL_CERTPROBLEM, /* 58 - problem with the local certificate */
+ CURLE_SSL_CIPHER, /* 59 - couldn't use specified cipher */
+ CURLE_SSL_CACERT, /* 60 - problem with the CA cert (path?) */
+
CURL_LAST /* never use! */
} CURLcode;
@@ -579,12 +581,9 @@ typedef enum {
/* Provide a CURLShare for mutexing non-ts data */
CINIT(SHARE, OBJECTPOINT, 100),
- /* Explicitly allow insecure SSL connects */
- CINIT(SSL_INSECURE, LONG, 101),
-
/* indicates type of proxy. accepted values are CURLPROXY_HTTP (default),
CURLPROXY_SOCKS4 and CURLPROXY_SOCKS5. */
- CINIT(PROXYTYPE, LONG, 102),
+ CINIT(PROXYTYPE, LONG, 101),
CURLOPT_LASTENTRY /* the last unused */
} CURLoption;
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 6307ca790..12a582d92 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -72,5 +72,6 @@ $(srcdir)/getdate.c: getdate.y
install-data-hook:
@if test -n "@CURL_CA_BUNDLE@"; then \
+ $(mkinstalldirs) `dirname $(DESTDIR)@CURL_CA_BUNDLE@`; \
@INSTALL_DATA@ ca-bundle.crt $(DESTDIR)@CURL_CA_BUNDLE@; \
fi
diff --git a/lib/ssluse.c b/lib/ssluse.c
index 3c7f1ba21..5a002f01c 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -722,7 +722,7 @@ Curl_SSLConnect(struct connectdata *conn)
data->set.key,
data->set.key_type)) {
/* failf() is already done in cert_stuff() */
- return CURLE_SSL_CONNECT_ERROR;
+ return CURLE_SSL_CERTPROBLEM;
}
}
@@ -730,7 +730,7 @@ Curl_SSLConnect(struct connectdata *conn)
if (!SSL_CTX_set_cipher_list(conn->ssl.ctx,
data->set.ssl.cipher_list)) {
failf(data, "failed setting cipher list");
- return CURLE_SSL_CONNECT_ERROR;
+ return CURLE_SSL_CIPHER;
}
}
@@ -743,7 +743,7 @@ Curl_SSLConnect(struct connectdata *conn)
data->set.ssl.CAfile,
data->set.ssl.CApath)) {
failf(data,"error setting cerficate verify locations");
- return CURLE_SSL_CONNECT_ERROR;
+ return CURLE_SSL_CACERT;
}
}
else
diff --git a/lib/url.c b/lib/url.c
index c9aa3042a..f8d647491 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -111,6 +111,7 @@
#include "ldap.h"
#include "url.h"
#include "connect.h"
+#include "ca-bundle.h"
#include <curl/types.h>
@@ -293,12 +294,23 @@ CURLcode Curl_open(struct SessionHandle **curl)
free(data);
return CURLE_OUT_OF_MEMORY;
}
-
+
+ /*
+ * libcurl 7.10 introduces SSL verification *by default*! This needs to be
+ * switched off unless wanted.
+ */
+ data->set.ssl.verifypeer = TRUE;
+ data->set.ssl.verifyhost = 2;
+#ifdef CURL_CA_BUNDLE
+ /* This is our prefered CA cert bundle since install time */
+ data->set.ssl.CAfile = CURL_CA_BUNDLE;
+#endif
+
+
memset(data->state.connects, 0,
sizeof(struct connectdata *)*data->state.numconnects);
*curl = data;
-
return CURLE_OK;
}
@@ -1051,10 +1063,6 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, ...)
}
break;
- case CURLOPT_SSL_INSECURE:
- data->set.ssl.allow_insecure = va_arg(param, long)?TRUE:FALSE;
- break;
-
case CURLOPT_PROXYTYPE:
/*
* Set proxy type. HTTP/SOCKS4/SOCKS5
@@ -2247,17 +2255,6 @@ static CURLcode CreateConnection(struct SessionHandle *data,
return CURLE_UNSUPPORTED_PROTOCOL;
}
- if(conn->protocol & PROT_SSL) {
- /* If SSL is requested, require security level info */
-
- if(!data->set.ssl.allow_insecure &&
- !(data->set.ssl.CAfile || data->set.ssl.CApath)) {
- failf(data, "Insecure SSL connect attempted without explicit permission granted");
- return CURLE_SSL_INSECURE;
- }
- }
-
-
/*************************************************************
* Figure out the remote port number
*
diff --git a/lib/urldata.h b/lib/urldata.h
index 5a93150b2..2f183711e 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -144,8 +144,6 @@ struct ssl_config_data {
char *random_file; /* path to file containing "random" data */
char *egdsocket; /* path to file containing the EGD daemon socket */
char *cipher_list; /* list of ciphers to use */
- bool allow_insecure; /* allow connects without any CA certificate */
-
long numsessions; /* SSL session id cache size */
};
diff --git a/src/main.c b/src/main.c
index e12bdc4b8..fa2b43f38 100644
--- a/src/main.c
+++ b/src/main.c
@@ -2721,13 +2721,21 @@ operate(struct Configurable *config, int argc, char *argv[])
curl_easy_setopt(curl, CURLOPT_SSLKEYPASSWD, config->key_passwd);
if(config->cacert || config->capath) {
- if (config->cacert) curl_easy_setopt(curl, CURLOPT_CAINFO, config->cacert);
- if (config->capath) curl_easy_setopt(curl, CURLOPT_CAPATH, config->capath);
+ if (config->cacert)
+ curl_easy_setopt(curl, CURLOPT_CAINFO, config->cacert);
+
+ if (config->capath)
+ curl_easy_setopt(curl, CURLOPT_CAPATH, config->capath);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2);
}
- else
+ else {
+ if(config->insecure_ok)
+ /* new stuff needed for libcurl 7.10 */
+ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
+
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
+ }
if((config->conf&CONF_NOBODY) ||
config->remote_time) {
@@ -2798,9 +2806,6 @@ operate(struct Configurable *config, int argc, char *argv[])
}
curl_easy_setopt(curl, CURLOPT_VERBOSE, config->conf&CONF_VERBOSE);
- /* new in curl 7.10 */
- curl_easy_setopt(curl, CURLOPT_SSL_INSECURE, config->insecure_ok);
-
res = curl_easy_perform(curl);
if((config->progressmode == CURL_PROGRESS_BAR) &&
@@ -2823,28 +2828,8 @@ operate(struct Configurable *config, int argc, char *argv[])
vms_show = VMSSTS_HIDE;
}
#else
- if((res!=CURLE_OK) && config->showerror) {
- switch(res) {
- case CURLE_SSL_INSECURE:
- /* Since this breaks how curl used to work, we need a slightly more
- verbose and descriptive error here to educate people what is
- happening and what to do to make it work. At least for a
- while. */
- fprintf(config->errors, "curl: (%d) %s\n%s", res,
- errorbuffer,
- " Since SSL doesn't offer any true security if you don't use a CA\n"
- " certificate to verify the peer certificate with, you must either\n"
- " provide one to make sure that the server really is the server you\n"
- " think it is, or you must explicitly tell curl that insecure SSL\n"
- " connects are fine.\n"
- " Allow insecure SSL operations with -k/--insecure\n"
- );
- break;
- default:
- fprintf(config->errors, "curl: (%d) %s\n", res, errorbuffer);
- break;
- }
- }
+ if((res!=CURLE_OK) && config->showerror)
+ fprintf(config->errors, "curl: (%d) %s\n", res, errorbuffer);
#endif
if (outfile && !strequal(outfile, "-") && outs.stream)