diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2012-10-27 12:31:39 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2012-11-06 19:46:53 +0100 |
| commit | da82f59b697310229ccdf66104d5d65a44dfab98 (patch) | |
| tree | e7e96d9878ad6ea7536342fc12083b489d28bad0 /lib/urldata.h | |
| parent | ab1f80200a6d1bcbac167ede429be52f3ef838bc (diff) | |
CURLOPT_SSL_VERIFYHOST: stop supporting the 1 value
After a research team wrote a document[1] that found several live source
codes out there in the wild that misused the CURLOPT_SSL_VERIFYHOST
option thinking it was a boolean, this change now bans 1 as a value and
will make libcurl return error for it.
1 was never a sensible value to use in production but was introduced
back in the days to help debugging. It was always documented clearly
this way.
1 was never supported by all SSL backends in libcurl, so this cleanup
makes the treatment of it unified.
The report's list of mistakes for this option were all PHP code and
while there's a binding layer between libcurl and PHP, the PHP team has
decided that they have an as thin layer as possible on top of libcurl so
they will not alter or specifically filter a 'TRUE' value for this
particular option. I sympathize with that position.
[1] = http://daniel.haxx.se/blog/2012/10/25/libcurl-claimed-to-be-dangerous/
Diffstat (limited to 'lib/urldata.h')
| -rw-r--r-- | lib/urldata.h | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/lib/urldata.h b/lib/urldata.h index 5f893c92e..4116c341f 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -332,10 +332,9 @@ struct ssl_connect_data { struct ssl_config_data { long version; /* what version the client wants to use */ long certverifyresult; /* result from the certificate verification */ - long verifypeer; /* set TRUE if this is desired */ - long verifyhost; /* 0: no verify - 1: check that CN exists - 2: CN must match hostname */ + + bool verifypeer; /* set TRUE if this is desired */ + bool verifyhost; /* set TRUE if CN/SAN must match hostname */ char *CApath; /* certificate dir (doesn't work on windows) */ char *CAfile; /* certificate to verify peer against */ const char *CRLfile; /* CRL to check certificate revocation */ @@ -994,8 +993,8 @@ struct connectdata { int socks5_gssapi_enctype; #endif - long verifypeer; - long verifyhost; + bool verifypeer; + bool verifyhost; /* When this connection is created, store the conditions for the local end bind. This is stored before the actual bind and before any connection is |