diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/Makefile.am | 1 | ||||
-rw-r--r-- | lib/ssluse.c | 6 | ||||
-rw-r--r-- | lib/url.c | 31 | ||||
-rw-r--r-- | lib/urldata.h | 2 |
4 files changed, 18 insertions, 22 deletions
diff --git a/lib/Makefile.am b/lib/Makefile.am index 6307ca790..12a582d92 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -72,5 +72,6 @@ $(srcdir)/getdate.c: getdate.y install-data-hook: @if test -n "@CURL_CA_BUNDLE@"; then \ + $(mkinstalldirs) `dirname $(DESTDIR)@CURL_CA_BUNDLE@`; \ @INSTALL_DATA@ ca-bundle.crt $(DESTDIR)@CURL_CA_BUNDLE@; \ fi diff --git a/lib/ssluse.c b/lib/ssluse.c index 3c7f1ba21..5a002f01c 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -722,7 +722,7 @@ Curl_SSLConnect(struct connectdata *conn) data->set.key, data->set.key_type)) { /* failf() is already done in cert_stuff() */ - return CURLE_SSL_CONNECT_ERROR; + return CURLE_SSL_CERTPROBLEM; } } @@ -730,7 +730,7 @@ Curl_SSLConnect(struct connectdata *conn) if (!SSL_CTX_set_cipher_list(conn->ssl.ctx, data->set.ssl.cipher_list)) { failf(data, "failed setting cipher list"); - return CURLE_SSL_CONNECT_ERROR; + return CURLE_SSL_CIPHER; } } @@ -743,7 +743,7 @@ Curl_SSLConnect(struct connectdata *conn) data->set.ssl.CAfile, data->set.ssl.CApath)) { failf(data,"error setting cerficate verify locations"); - return CURLE_SSL_CONNECT_ERROR; + return CURLE_SSL_CACERT; } } else @@ -111,6 +111,7 @@ #include "ldap.h" #include "url.h" #include "connect.h" +#include "ca-bundle.h" #include <curl/types.h> @@ -293,12 +294,23 @@ CURLcode Curl_open(struct SessionHandle **curl) free(data); return CURLE_OUT_OF_MEMORY; } - + + /* + * libcurl 7.10 introduces SSL verification *by default*! This needs to be + * switched off unless wanted. + */ + data->set.ssl.verifypeer = TRUE; + data->set.ssl.verifyhost = 2; +#ifdef CURL_CA_BUNDLE + /* This is our prefered CA cert bundle since install time */ + data->set.ssl.CAfile = CURL_CA_BUNDLE; +#endif + + memset(data->state.connects, 0, sizeof(struct connectdata *)*data->state.numconnects); *curl = data; - return CURLE_OK; } @@ -1051,10 +1063,6 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, ...) } break; - case CURLOPT_SSL_INSECURE: - data->set.ssl.allow_insecure = va_arg(param, long)?TRUE:FALSE; - break; - case CURLOPT_PROXYTYPE: /* * Set proxy type. HTTP/SOCKS4/SOCKS5 @@ -2247,17 +2255,6 @@ static CURLcode CreateConnection(struct SessionHandle *data, return CURLE_UNSUPPORTED_PROTOCOL; } - if(conn->protocol & PROT_SSL) { - /* If SSL is requested, require security level info */ - - if(!data->set.ssl.allow_insecure && - !(data->set.ssl.CAfile || data->set.ssl.CApath)) { - failf(data, "Insecure SSL connect attempted without explicit permission granted"); - return CURLE_SSL_INSECURE; - } - } - - /************************************************************* * Figure out the remote port number * diff --git a/lib/urldata.h b/lib/urldata.h index 5a93150b2..2f183711e 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -144,8 +144,6 @@ struct ssl_config_data { char *random_file; /* path to file containing "random" data */ char *egdsocket; /* path to file containing the EGD daemon socket */ char *cipher_list; /* list of ciphers to use */ - bool allow_insecure; /* allow connects without any CA certificate */ - long numsessions; /* SSL session id cache size */ }; |