From 7b55279d1d856c9ef19d942c2672a3d616254452 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Tue, 24 Mar 2015 13:25:17 +0100 Subject: configure: --with-ca-fallback: use built-in TLS CA fallback When trying to verify a peer without having any root CA certificates set, this makes libcurl use the TLS library's built in default as fallback. Closes #569 --- acinclude.m4 | 18 ++++++++++++++++++ configure.ac | 1 + lib/vtls/gtls.c | 10 +++++++++- lib/vtls/openssl.c | 7 +++++++ 4 files changed, 35 insertions(+), 1 deletion(-) diff --git a/acinclude.m4 b/acinclude.m4 index ce61ca6b5..037c27d7c 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -2665,6 +2665,24 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]), if test "x$ca" = "xno" && test "x$capath" = "xno"; then AC_MSG_RESULT([no]) fi + + AC_MSG_CHECKING([whether to use builtin CA store of SSL library]) + AC_ARG_WITH(ca-fallback, +AC_HELP_STRING([--with-ca-fallback], [Use the built in CA store of the SSL library]) +AC_HELP_STRING([--without-ca-fallback], [Don't use the built in CA store of the SSL library]), + [ + if test "x$with_ca_fallback" != "xyes" -a "x$with_ca_fallback" != "xno"; then + AC_MSG_ERROR([--with-ca-fallback only allows yes or no as parameter]) + fi + ], + [ with_ca_fallback="no"]) + AC_MSG_RESULT([$with_ca_fallback]) + if test "x$with_ca_fallback" = "xyes"; then + if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1"; then + AC_MSG_ERROR([--with-ca-fallback only works with OpenSSL or GnuTLS]) + fi + AC_DEFINE_UNQUOTED(CURL_CA_FALLBACK, 1, [define "1" to use built in CA store of SSL library ]) + fi ]) diff --git a/configure.ac b/configure.ac index 4c9862fc4..3b4139328 100644 --- a/configure.ac +++ b/configure.ac @@ -3895,6 +3895,7 @@ AC_MSG_NOTICE([Configured to build curl/libcurl: SSPI support: ${curl_sspi_msg} ca cert bundle: ${ca} ca cert path: ${capath} + ca fallback: ${with_ca_fallback} LDAP support: ${curl_ldap_msg} LDAPS support: ${curl_ldaps_msg} RTSP support: ${curl_rtsp_msg} diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index a9702c4a4..2c7eb1729 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -487,6 +487,14 @@ gtls_connect_step1(struct connectdata *conn, } #endif +#ifdef CURL_CA_FALLBACK + /* use system ca certificate store as fallback */ + if(data->set.ssl.verifypeer && + !(data->set.ssl.CAfile || data->set.ssl.CApath)) { + gnutls_certificate_set_x509_system_trust(conn->ssl[sockindex].cred); + } +#endif + if(data->set.ssl.CRLfile) { /* set the CRL list file */ rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred, diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 70cfb84af..b36c6a611 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -1960,6 +1960,13 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) data->set.str[STRING_SSL_CAPATH] ? data->set.str[STRING_SSL_CAPATH]: "none"); } +#ifdef CURL_CA_FALLBACK + else if(data->set.ssl.verifypeer) { + /* verfying the peer without any CA certificates won't + work so use openssl's built in default as fallback */ + SSL_CTX_set_default_verify_paths(connssl->ctx); + } +#endif if(data->set.str[STRING_SSL_CRLFILE]) { /* tell SSL where to find CRL file that is used to check certificate -- cgit v1.2.3