diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/tool_doswin.c | 11 | ||||
| -rw-r--r-- | src/tool_doswin.h | 1 | ||||
| -rw-r--r-- | src/tool_operate.c | 76 |
3 files changed, 60 insertions, 28 deletions
diff --git a/src/tool_doswin.c b/src/tool_doswin.c index 91299986a..c3a8826ff 100644 --- a/src/tool_doswin.c +++ b/src/tool_doswin.c @@ -638,12 +638,19 @@ char **__crt0_glob_function(char *arg) */ CURLcode FindWin32CACert(struct OperationConfig *config, + curl_sslbackend backend, const char *bundle_file) { CURLcode result = CURLE_OK; - /* search and set cert file only if libcurl supports SSL */ - if(curlinfo->features & CURL_VERSION_SSL) { + /* Search and set cert file only if libcurl supports SSL. + * + * If Schannel (WinSSL) is the selected SSL backend then these locations + * are ignored. We allow setting CA location for schannel only when + * explicitly specified by the user via CURLOPT_CAINFO / --cacert. + */ + if((curlinfo->features & CURL_VERSION_SSL) && + backend != CURLSSLBACKEND_SCHANNEL) { DWORD res_len; char buf[PATH_MAX]; diff --git a/src/tool_doswin.h b/src/tool_doswin.h index f649ef023..289281f4f 100644 --- a/src/tool_doswin.h +++ b/src/tool_doswin.h @@ -58,6 +58,7 @@ char **__crt0_glob_function(char *arg); #ifdef WIN32 CURLcode FindWin32CACert(struct OperationConfig *config, + curl_sslbackend backend, const char *bundle_file); #endif /* WIN32 */ diff --git a/src/tool_operate.c b/src/tool_operate.c index 8eac65d6a..932dda6e0 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c @@ -228,52 +228,76 @@ static CURLcode operate_do(struct GlobalConfig *global, if(!config->cacert && !config->capath && !config->insecure_ok) { - char *env; - env = curlx_getenv("CURL_CA_BUNDLE"); - if(env) { - config->cacert = strdup(env); - if(!config->cacert) { - curl_free(env); - helpf(global->errors, "out of memory\n"); - result = CURLE_OUT_OF_MEMORY; - goto quit_curl; - } + struct curl_tlssessioninfo *tls_backend_info = NULL; + + /* With the addition of CAINFO support for Schannel, this search could find + * a certificate bundle that was previously ignored. To maintain backward + * compatibility, only perform this search if not using Schannel. + */ + result = curl_easy_getinfo(config->easy, + CURLINFO_TLS_SSL_PTR, + &tls_backend_info); + if(result) { + goto quit_curl; } - else { - env = curlx_getenv("SSL_CERT_DIR"); + + /* Set the CA cert locations specified in the environment. For Windows if + * no environment-specified filename is found then check for CA bundle + * default filename curl-ca-bundle.crt in the user's PATH. + * + * If Schannel (WinSSL) is the selected SSL backend then these locations + * are ignored. We allow setting CA location for schannel only when + * explicitly specified by the user via CURLOPT_CAINFO / --cacert. + */ + if(tls_backend_info->backend != CURLSSLBACKEND_SCHANNEL) { + char *env; + env = curlx_getenv("CURL_CA_BUNDLE"); if(env) { - config->capath = strdup(env); - if(!config->capath) { + config->cacert = strdup(env); + if(!config->cacert) { curl_free(env); helpf(global->errors, "out of memory\n"); result = CURLE_OUT_OF_MEMORY; goto quit_curl; } - capath_from_env = true; } else { - env = curlx_getenv("SSL_CERT_FILE"); + env = curlx_getenv("SSL_CERT_DIR"); if(env) { - config->cacert = strdup(env); - if(!config->cacert) { + config->capath = strdup(env); + if(!config->capath) { curl_free(env); helpf(global->errors, "out of memory\n"); result = CURLE_OUT_OF_MEMORY; goto quit_curl; } + capath_from_env = true; + } + else { + env = curlx_getenv("SSL_CERT_FILE"); + if(env) { + config->cacert = strdup(env); + if(!config->cacert) { + curl_free(env); + helpf(global->errors, "out of memory\n"); + result = CURLE_OUT_OF_MEMORY; + goto quit_curl; + } + } } } - } - if(env) - curl_free(env); + if(env) + curl_free(env); #ifdef WIN32 - else { - result = FindWin32CACert(config, "curl-ca-bundle.crt"); - if(result) - goto quit_curl; - } + else { + result = FindWin32CACert(config, tls_backend_info->backend, + "curl-ca-bundle.crt"); + if(result) + goto quit_curl; + } #endif + } } if(config->postfields) { |