diff options
author | Jay Satiro <raysatiro@yahoo.com> | 2015-07-17 02:40:16 -0400 |
---|---|---|
committer | Jay Satiro <raysatiro@yahoo.com> | 2015-07-17 02:40:16 -0400 |
commit | 172b2beba6b89b632c09be7a88645e3a0607cfe9 (patch) | |
tree | 96d0a159f3ce04f202fb20a939d5999fd3a3eca5 /src | |
parent | 606b29fe0d07144ff13c3a731eef299b72060f91 (diff) |
SSL: Add an option to disable certificate revocation checks
New tool option --ssl-no-revoke.
New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS.
Currently this option applies only to WinSSL where we have automatic
certificate revocation checking by default. According to the
ssl-compared chart there are other backends that have automatic checking
(NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at
some later point.
Bug: https://github.com/bagder/curl/issues/264
Reported-by: zenden2k <zenden2k@gmail.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/tool_cfgable.h | 1 | ||||
-rw-r--r-- | src/tool_getparam.c | 6 | ||||
-rw-r--r-- | src/tool_help.c | 1 | ||||
-rw-r--r-- | src/tool_operate.c | 5 | ||||
-rw-r--r-- | src/tool_setopt.c | 6 | ||||
-rw-r--r-- | src/tool_setopt.h | 2 |
6 files changed, 19 insertions, 2 deletions
diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h index 048eb4ffe..c6a691447 100644 --- a/src/tool_cfgable.h +++ b/src/tool_cfgable.h @@ -199,6 +199,7 @@ struct OperationConfig { bool xattr; /* store metadata in extended attributes */ long gssapi_delegation; bool ssl_allow_beast; /* allow this SSL vulnerability */ + bool ssl_no_revoke; /* disable SSL certificate revocation checks */ bool use_metalink; /* process given URLs as metalink XML file */ metalinkfile *metalinkfile_list; /* point to the first node */ diff --git a/src/tool_getparam.c b/src/tool_getparam.c index 339fb7b5d..4405bce87 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c @@ -221,6 +221,7 @@ static const struct LongShort aliases[]= { {"Ep", "pinnedpubkey", TRUE}, {"Eq", "cert-status", FALSE}, {"Er", "false-start", FALSE}, + {"Es", "ssl-no-revoke", FALSE}, {"f", "fail", FALSE}, {"F", "form", TRUE}, {"Fs", "form-string", TRUE}, @@ -1382,6 +1383,11 @@ ParameterError getparameter(char *flag, /* f or -long-flag */ config->falsestart = TRUE; break; + case 's': /* --ssl-no-revoke */ + if(curlinfo->features & CURL_VERSION_SSL) + config->ssl_no_revoke = TRUE; + break; + default: /* certificate file */ { char *certname, *passphrase; diff --git a/src/tool_help.c b/src/tool_help.c index e0c45954b..6ad51cb5b 100644 --- a/src/tool_help.c +++ b/src/tool_help.c @@ -214,6 +214,7 @@ static const char *const helptext[] = { " -2, --sslv2 Use SSLv2 (SSL)", " -3, --sslv3 Use SSLv3 (SSL)", " --ssl-allow-beast Allow security flaw to improve interop (SSL)", + " --ssl-no-revoke Disable cert revocation checks (WinSSL)", " --stderr FILE Where to redirect stderr (use \"-\" for stdout)", " --tcp-nodelay Use the TCP_NODELAY option", " -t, --telnet-option OPT=VAL Set telnet option", diff --git a/src/tool_operate.c b/src/tool_operate.c index 4c6ff854c..1180555fa 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c @@ -1328,8 +1328,9 @@ static CURLcode operate_do(struct GlobalConfig *global, config->gssapi_delegation); /* new in 7.25.0 */ - if(config->ssl_allow_beast) - my_setopt(curl, CURLOPT_SSL_OPTIONS, (long)CURLSSLOPT_ALLOW_BEAST); + my_setopt_bitmask(curl, CURLOPT_SSL_OPTIONS, + (long)((config->ssl_allow_beast ? CURLSSLOPT_ALLOW_BEAST : 0) | + (config->ssl_no_revoke ? CURLSSLOPT_NO_REVOKE : 0))); if(config->mail_auth) my_setopt_str(curl, CURLOPT_MAIL_AUTH, config->mail_auth); diff --git a/src/tool_setopt.c b/src/tool_setopt.c index a53fdc835..7eb64b039 100644 --- a/src/tool_setopt.c +++ b/src/tool_setopt.c @@ -107,6 +107,12 @@ const NameValue setopt_nv_CURLUSESSL[] = { NVEND, }; +const NameValueUnsigned setopt_nv_CURLSSLOPT[] = { + NV(CURLSSLOPT_ALLOW_BEAST), + NV(CURLSSLOPT_NO_REVOKE), + NVEND, +}; + const NameValue setopt_nv_CURL_NETRC[] = { NV(CURL_NETRC_IGNORED), NV(CURL_NETRC_OPTIONAL), diff --git a/src/tool_setopt.h b/src/tool_setopt.h index fcba94cb2..b32adf988 100644 --- a/src/tool_setopt.h +++ b/src/tool_setopt.h @@ -52,6 +52,7 @@ extern const NameValue setopt_nv_CURL_SSLVERSION[]; extern const NameValue setopt_nv_CURL_TIMECOND[]; extern const NameValue setopt_nv_CURLFTPSSL_CCC[]; extern const NameValue setopt_nv_CURLUSESSL[]; +extern const NameValueUnsigned setopt_nv_CURLSSLOPT[]; extern const NameValue setopt_nv_CURL_NETRC[]; extern const NameValue setopt_nv_CURLPROTO[]; extern const NameValueUnsigned setopt_nv_CURLAUTH[]; @@ -63,6 +64,7 @@ extern const NameValueUnsigned setopt_nv_CURLAUTH[]; #define setopt_nv_CURLOPT_TIMECONDITION setopt_nv_CURL_TIMECOND #define setopt_nv_CURLOPT_FTP_SSL_CCC setopt_nv_CURLFTPSSL_CCC #define setopt_nv_CURLOPT_USE_SSL setopt_nv_CURLUSESSL +#define setopt_nv_CURLOPT_SSL_OPTIONS setopt_nv_CURLSSLOPT #define setopt_nv_CURLOPT_NETRC setopt_nv_CURL_NETRC #define setopt_nv_CURLOPT_PROTOCOLS setopt_nv_CURLPROTO #define setopt_nv_CURLOPT_REDIR_PROTOCOLS setopt_nv_CURLPROTO |