aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CHANGES5
-rw-r--r--RELEASE-NOTES3
-rw-r--r--docs/libcurl/libcurl-errors.34
-rw-r--r--include/curl/curl.h2
-rw-r--r--lib/gtls.c7
-rw-r--r--lib/ssluse.c2
-rw-r--r--lib/strerror.c3
-rw-r--r--tests/data/test3052
8 files changed, 22 insertions, 6 deletions
diff --git a/CHANGES b/CHANGES
index 67020ae4d..6d91774b2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,11 @@
Changelog
+Daniel (21 October 2006)
+- Armel Asselin separated CA cert verification problems from problems with
+ reading the (local) CA cert file to let users easier pinpoint the actual
+ problem. CURLE_SSL_CACERT_BADFILE (77) is the new libcurl error code.
+
Daniel (18 October 2006)
- Removed the "protocol-guessing" for URLs with host names starting with FTPS
or TELNET since they are practically non-existant. This leaves us with only
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 6fd5cc1cb..1d8f64241 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -10,7 +10,8 @@ Curl and libcurl 7.16.0
Number of contributors: 515
This release includes the following changes:
-
+
+ o Added CURLE_SSL_CACERT_BADFILE
o Added CURLMOPT_TIMERFUNCTION
o The CURLOPT_SOURCE_* options are removed and so are the --3p* command line
options
diff --git a/docs/libcurl/libcurl-errors.3 b/docs/libcurl/libcurl-errors.3
index 1d6936002..062bf83de 100644
--- a/docs/libcurl/libcurl-errors.3
+++ b/docs/libcurl/libcurl-errors.3
@@ -174,7 +174,7 @@ problem with the local client certificate
.IP "CURLE_SSL_CIPHER (59)"
couldn't use specified cipher
.IP "CURLE_SSL_CACERT (60)"
-problem with the CA cert (path? access rights?)
+peer certificate cannot be authenticated with known CA certificates
.IP "CURLE_BAD_CONTENT_ENCODING (61)"
Unrecognized transfer encoding
.IP "CURLE_LDAP_INVALID_URL (62)"
@@ -208,6 +208,8 @@ No such TFTP user
Character conversion failed
.IP "CURLE_CONV_REQD (76)"
Caller must register conversion callbacks
+.IP "CURLE_SSL_CACERT_BADFILE (77)"
+Problem with reading the SSL CA cert (path? access rights?)
.SH "CURLMcode"
This is the generic return code used by functions in the libcurl multi
interface. Also consider \fIcurl_multi_strerror(3)\fP.
diff --git a/include/curl/curl.h b/include/curl/curl.h
index 548c7f848..36b52bb05 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -390,6 +390,8 @@ typedef enum {
CURLOPT_CONV_FROM_NETWORK_FUNCTION,
CURLOPT_CONV_TO_NETWORK_FUNCTION, and
CURLOPT_CONV_FROM_UTF8_FUNCTION */
+ CURLE_SSL_CACERT_BADFILE, /* 77 - could not load CACERT file, missing
+ or wrong format */
CURL_LAST /* never use! */
} CURLcode;
diff --git a/lib/gtls.c b/lib/gtls.c
index b202adfd4..02680d02b 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2005, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -234,9 +234,12 @@ Curl_gtls_connect(struct connectdata *conn,
rc = gnutls_certificate_set_x509_trust_file(conn->ssl[sockindex].cred,
data->set.ssl.CAfile,
GNUTLS_X509_FMT_PEM);
- if(rc < 0)
+ if(rc < 0) {
infof(data, "error reading ca cert file %s (%s)\n",
data->set.ssl.CAfile, gnutls_strerror(rc));
+ if (data->set.ssl.verifypeer)
+ return CURLE_SSL_CACERT_BADFILE;
+ }
else
infof(data, "found %d certificates in %s\n",
rc, data->set.ssl.CAfile);
diff --git a/lib/ssluse.c b/lib/ssluse.c
index 2d6a6fed6..28c2ef62b 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1272,7 +1272,7 @@ Curl_ossl_connect_step1(struct connectdata *conn,
" CAfile: %s\n CApath: %s\n",
data->set.ssl.CAfile ? data->set.ssl.CAfile : "none",
data->set.ssl.CApath ? data->set.ssl.CApath : "none");
- return CURLE_SSL_CACERT;
+ return CURLE_SSL_CACERT_BADFILE;
}
else {
/* Just continue with a warning if no strict certificate verification
diff --git a/lib/strerror.c b/lib/strerror.c
index 62ccfe9a0..3e466c688 100644
--- a/lib/strerror.c
+++ b/lib/strerror.c
@@ -227,6 +227,9 @@ curl_easy_strerror(CURLcode error)
return "couldn't use specified SSL cipher";
case CURLE_SSL_CACERT:
+ return "peer certificate cannot be authenticated with known CA certificates";
+
+ case CURLE_SSL_CACERT_BADFILE:
return "problem with the SSL CA cert (path? access rights?)";
case CURLE_BAD_CONTENT_ENCODING:
diff --git a/tests/data/test305 b/tests/data/test305
index f814225b9..0e01ea2e9 100644
--- a/tests/data/test305
+++ b/tests/data/test305
@@ -28,6 +28,6 @@ https://%HOSTIP:%HTTPSPORT/want/305 --cacert moooo
<protocol>
</protocol>
<errorcode>
-60
+77
</errorcode>
</verify>