diff options
| author | Alessandro Ghedini <alessandro@ghedini.me> | 2014-06-16 13:20:47 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2015-01-16 23:23:29 +0100 |
| commit | 3af90a6e19249807f99bc9ee7b50d3e58849072a (patch) | |
| tree | a8e4e31842fcf4b40dbb283847940ea2e83ee3d4 /lib | |
| parent | 5e113a18c56e0743e377854ab18c79305b2830ea (diff) | |
url: add CURLOPT_SSL_VERIFYSTATUS option
This option can be used to enable/disable certificate status verification using
the "Certificate Status Request" TLS extension defined in RFC6066 section 8.
This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the
certificate status verification fails, and the Curl_ssl_cert_status_request()
function, used to check whether the SSL backend supports the status_request
extension.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/strerror.c | 5 | ||||
| -rw-r--r-- | lib/url.c | 11 | ||||
| -rw-r--r-- | lib/urldata.h | 1 | ||||
| -rw-r--r-- | lib/vtls/vtls.c | 12 | ||||
| -rw-r--r-- | lib/vtls/vtls.h | 2 |
5 files changed, 30 insertions, 1 deletions
diff --git a/lib/strerror.c b/lib/strerror.c index b85b56839..56e438563 100644 --- a/lib/strerror.c +++ b/lib/strerror.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2004 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 2004 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -301,6 +301,9 @@ curl_easy_strerror(CURLcode error) case CURLE_SSL_PINNEDPUBKEYNOTMATCH: return "SSL public key does not match pinned public key"; + case CURLE_SSL_INVALIDCERTSTATUS: + return "SSL server certificate status verification FAILED"; + /* error codes not used by current libcurl */ case CURLE_OBSOLETE20: case CURLE_OBSOLETE24: @@ -1997,6 +1997,17 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, data->set.ssl.verifyhost = (0 != arg)?TRUE:FALSE; break; + case CURLOPT_SSL_VERIFYSTATUS: + /* + * Enable certificate status verifying. + */ + if(!Curl_ssl_cert_status_request()) { + result = CURLE_NOT_BUILT_IN; + break; + } + + data->set.ssl.verifystatus = (0 != va_arg(param, long))?TRUE:FALSE; + break; case CURLOPT_SSL_CTX_FUNCTION: #ifdef have_curlssl_ssl_ctx /* diff --git a/lib/urldata.h b/lib/urldata.h index 5f774704a..50a745f11 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -366,6 +366,7 @@ struct ssl_config_data { bool verifypeer; /* set TRUE if this is desired */ bool verifyhost; /* set TRUE if CN/SAN must match hostname */ + bool verifystatus; /* set TRUE if certificate status must be checked */ char *CApath; /* certificate dir (doesn't work on windows) */ char *CAfile; /* certificate to verify peer against */ const char *CRLfile; /* CRL to check certificate revocation */ diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index a53ff4ad6..cf1df24e4 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -848,4 +848,16 @@ void Curl_ssl_md5sum(unsigned char *tmp, /* input */ #endif } +/* + * Check whether the SSL backend supports the status_request extension. + */ +bool Curl_ssl_cert_status_request(void) +{ +#ifdef curlssl_cert_status_request + return curlssl_cert_status_request(); +#else + return FALSE; +#endif +} + #endif /* USE_SSL */ diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h index 19ef1cd6e..eedf9212c 100644 --- a/lib/vtls/vtls.h +++ b/lib/vtls/vtls.h @@ -116,6 +116,8 @@ void Curl_ssl_md5sum(unsigned char *tmp, /* input */ CURLcode Curl_pin_peer_pubkey(const char *pinnedpubkey, const unsigned char *pubkey, size_t pubkeylen); +bool Curl_ssl_cert_status_request(void); + #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */ #else |