diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2002-08-26 23:13:25 +0000 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2002-08-26 23:13:25 +0000 |
| commit | 27a2e590cd64cd6f31472681f0e61167b729e005 (patch) | |
| tree | bb014f0d3cd310f5ce31461ce801f3e22c03de74 /lib | |
| parent | 7172fa058a84cea26e31dd1c0bdc44889efc2949 (diff) | |
SSL_INSECURE support and usage added
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/ftp.c | 3 | ||||
| -rw-r--r-- | lib/url.c | 22 | ||||
| -rw-r--r-- | lib/urldata.h | 7 |
3 files changed, 25 insertions, 7 deletions
@@ -711,8 +711,7 @@ CURLcode ftp_cwd(struct connectdata *conn, char *path) CURLcode result; FTPSENDF(conn, "CWD %s", path); - nread = Curl_GetFTPResponse( - conn->data->state.buffer, conn, &ftpcode); + nread = Curl_GetFTPResponse(conn->data->state.buffer, conn, &ftpcode); if (nread < 0) return CURLE_OPERATION_TIMEOUTED; @@ -1004,10 +1004,11 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, ...) break; case CURLOPT_CAPATH: /* - * Set CA path info for SSL connection. Specify directory name of the CA certificates - * which have been prepared using openssl c_rehash utility. + * Set CA path info for SSL connection. Specify directory name of the CA + * certificates which have been prepared using openssl c_rehash utility. */ - data->set.ssl.CApath = va_arg(param, char *); /*This does not work on windows.*/ + /* This does not work on windows. */ + data->set.ssl.CApath = va_arg(param, char *); break; case CURLOPT_TELNETOPTIONS: /* @@ -1048,6 +1049,10 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, ...) } break; + case CURLOPT_SSL_INSECURE: + data->set.ssl.allow_insecure = va_arg(param, long)?TRUE:FALSE; + break; + default: /* unknown tag and its companion, just ignore: */ return CURLE_FAILED_INIT; /* correct this */ @@ -2035,6 +2040,17 @@ static CURLcode CreateConnection(struct SessionHandle *data, return CURLE_UNSUPPORTED_PROTOCOL; } + if(conn->protocol & PROT_SSL) { + /* If SSL is requested, require security level info */ + + if(!data->set.ssl.allow_insecure && + !(data->set.ssl.CAfile || data->set.ssl.CApath)) { + failf(data, "Insecure SSL connect attempted without explicit permission granted"); + return CURLE_SSL_INSECURE; + } + } + + /************************************************************* * Figure out the remote port number * diff --git a/lib/urldata.h b/lib/urldata.h index 0d4a11a8b..ce15dbf9f 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -136,14 +136,17 @@ struct ssl_config_data { long version; /* what version the client wants to use */ long certverifyresult; /* result from the certificate verification */ long verifypeer; /* set TRUE if this is desired */ - long verifyhost; /* 0: no verif, 1: check that CN exists, 2: CN must match hostname */ + long verifyhost; /* 0: no verify + 1: check that CN exists + 2: CN must match hostname */ char *CApath; /* DOES NOT WORK ON WINDOWS */ char *CAfile; /* cerficate to verify peer against */ char *random_file; /* path to file containing "random" data */ char *egdsocket; /* path to file containing the EGD daemon socket */ char *cipher_list; /* list of ciphers to use */ + bool allow_insecure; /* allow connects without any CA certificate */ - long numsessions; /* SSL session id cache size */ + long numsessions; /* SSL session id cache size */ }; /**************************************************************************** |