15. Schannel
15.1 Extend support for client certificate authentication
15.2 Extend support for the --ciphers option
- 15.3 Add option to disable client certificate auto-send
15.4 Add option to allow abrupt server closure
16. SASL
- Specifying Schannel Ciphers and Cipher Strengths
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380161.aspx
-15.3 Add option to disable client certificate auto-send
-
- Microsoft says "By default, Schannel will, with no notification to the client,
- attempt to locate a client certificate and send it to the server." That could
- be considered a privacy violation and unexpected.
-
- Some Windows users have come to expect that default behavior and to change the
- default to make it consistent with other SSL backends would be a breaking
- change. An option should be added that can be used to disable the default
- Schannel auto-send behavior.
-
- https://github.com/curl/curl/issues/2262
-
15.4 Add option to allow abrupt server closure
libcurl w/schannel will error without a known termination point from the
proxy-pinnedpubkey.d \
proxy-service-name.d \
proxy-ssl-allow-beast.d \
+ proxy-ssl-auto-client-cert.d \
proxy-tls13-ciphers.d \
proxy-tlsauthtype.d \
proxy-tlspassword.d \
speed-limit.d \
speed-time.d \
ssl-allow-beast.d \
+ ssl-auto-client-cert.d \
ssl-no-revoke.d \
ssl-reqd.d \
ssl-revoke-best-effort.d \
--- /dev/null
+Long: proxy-ssl-auto-client-cert
+Help: Use auto client certificate for proxy (Schannel)
+Added: 7.77.0
+Category: proxy tls
+---
+Same as --ssl-auto-client-cert but used in HTTPS proxy context.
--- /dev/null
+Long: ssl-auto-client-cert
+Help: Use auto client certificate (Schannel)
+Added: 7.77.0
+See-also: proxy-ssl-auto-client-cert
+Category: tls
+---
+Tell libcurl to automatically locate and use a client certificate for
+authentication, when requested by the server. This option is only supported
+for Schannel (the native Windows SSL library). Prior to 7.77.0 this was the
+default behavior in libcurl with Schannel. Since the server can request any
+certificate that supports client authentication in the OS certificate store it
+could be a privacy violation and unexpected.
does by default. This option is only supported for OpenSSL and will fail the
certificate verification if the chain ends with an intermediate certificate
and not with a root cert. (Added in 7.68.0)
-
.IP CURLSSLOPT_REVOKE_BEST_EFFORT
Tells libcurl to ignore certificate revocation checks in case of missing or
offline distribution points for those SSL backends where such behavior is
present. This option is only supported for Schannel (the native Windows SSL
library). If combined with \fICURLSSLOPT_NO_REVOKE\fP, the latter takes
precedence. (Added in 7.70.0)
+.IP CURLSSLOPT_AUTO_CLIENT_CERT
+Tell libcurl to automatically locate and use a client certificate for
+authentication, when requested by the server. This option is only supported
+for Schannel (the native Windows SSL library). Prior to 7.77.0 this was the
+default behavior in libcurl with Schannel. Since the server can request any
+certificate that supports client authentication in the OS certificate store it
+could be a privacy violation and unexpected.
+(Added in 7.77.0)
.SH DEFAULT
0
.SH PROTOCOLS
verification. Works only on Windows when built to use OpenSSL. This option is
experimental and behavior is subject to change.
(Added in 7.71.0)
+.IP CURLSSLOPT_AUTO_CLIENT_CERT
+Tell libcurl to automatically locate and use a client certificate for
+authentication, when requested by the server. This option is only supported
+for Schannel (the native Windows SSL library). Prior to 7.77.0 this was the
+default behavior in libcurl with Schannel. Since the server can request any
+certificate that supports client authentication in the OS certificate store it
+could be a privacy violation and unexpected.
+(Added in 7.77.0)
.SH DEFAULT
0
.SH PROTOCOLS
CURLSSLBACKEND_SECURETRANSPORT 7.64.1
CURLSSLBACKEND_WOLFSSL 7.49.0
CURLSSLOPT_ALLOW_BEAST 7.25.0
+CURLSSLOPT_AUTO_CLIENT_CERT 7.77.0
CURLSSLOPT_NATIVE_CA 7.71.0
CURLSSLOPT_NO_PARTIALCHAIN 7.68.0
CURLSSLOPT_NO_REVOKE 7.44.0
--proxy-pinnedpubkey 7.59.0
--proxy-service-name 7.43.0
--proxy-ssl-allow-beast 7.52.0
+--proxy-ssl-auto-client-cert 7.77.0
--proxy-tls13-ciphers 7.61.0
--proxy-tlsauthtype 7.52.0
--proxy-tlspassword 7.52.0
--speed-time (-y) 4.7
--ssl 7.20.0
--ssl-allow-beast 7.25.0
+--ssl-auto-client-cert 7.77.0
--ssl-no-revoke 7.44.0
--ssl-reqd 7.20.0
--ssl-revoke-best-effort 7.70.0
operating system. Currently implemented under MS-Windows. */
#define CURLSSLOPT_NATIVE_CA (1<<4)
+/* - CURLSSLOPT_AUTO_CLIENT_CERT tells libcurl to automatically locate and use
+ a client certificate for authentication. (Schannel) */
+#define CURLSSLOPT_AUTO_CLIENT_CERT (1<<5)
+
/* The default connection attempt delay in milliseconds for happy eyeballs.
CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.3 and happy-eyeballs-timeout-ms.d document
this value, keep them in sync. */
(data->set.ssl.revoke_best_effort ?
CURLSSLOPT_REVOKE_BEST_EFFORT : 0) |
(data->set.ssl.native_ca_store ?
- CURLSSLOPT_NATIVE_CA : 0);
+ CURLSSLOPT_NATIVE_CA : 0) |
+ (data->set.ssl.auto_client_cert ?
+ CURLSSLOPT_AUTO_CLIENT_CERT : 0);
+
curl_easy_setopt(doh, CURLOPT_SSL_OPTIONS, mask);
}
data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
data->set.ssl.revoke_best_effort = !!(arg & CURLSSLOPT_REVOKE_BEST_EFFORT);
data->set.ssl.native_ca_store = !!(arg & CURLSSLOPT_NATIVE_CA);
+ data->set.ssl.auto_client_cert = !!(arg & CURLSSLOPT_AUTO_CLIENT_CERT);
/* If a setting is added here it should also be added in dohprobe()
which sets its own CURLOPT_SSL_OPTIONS based on these settings. */
break;
(bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
- data->set.proxy_ssl.native_ca_store = !!(arg & CURLSSLOPT_NATIVE_CA);
data->set.proxy_ssl.revoke_best_effort =
!!(arg & CURLSSLOPT_REVOKE_BEST_EFFORT);
+ data->set.proxy_ssl.native_ca_store = !!(arg & CURLSSLOPT_NATIVE_CA);
+ data->set.proxy_ssl.auto_client_cert =
+ !!(arg & CURLSSLOPT_AUTO_CLIENT_CERT);
break;
#endif
BIT(revoke_best_effort); /* ignore SSL revocation offline/missing revocation
list errors */
BIT(native_ca_store); /* use the native ca store of operating system */
+ BIT(auto_client_cert); /* automatically locate and use a client
+ certificate for authentication (Schannel) */
};
struct ssl_general_config {
"names in server certificates.\n"));
}
+ /* security request flags */
+ BACKEND->req_flags = ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT |
+ ISC_REQ_CONFIDENTIALITY | ISC_REQ_ALLOCATE_MEMORY |
+ ISC_REQ_STREAM;
+
+ if(!SSL_SET_OPTION(auto_client_cert)) {
+ schannel_cred.dwFlags &= ~SCH_CRED_USE_DEFAULT_CREDS;
+ schannel_cred.dwFlags |= SCH_CRED_NO_DEFAULT_CREDS;
+ BACKEND->req_flags |= ISC_REQ_USE_SUPPLIED_CREDS;
+ infof(data, "schannel: disabled automatic use of client certificate\n");
+ }
+ else
+ infof(data, "schannel: enabled automatic use of client certificate\n");
+
switch(conn->ssl_config.version) {
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
InitSecBuffer(&outbuf, SECBUFFER_EMPTY, NULL, 0);
InitSecBufferDesc(&outbuf_desc, &outbuf, 1);
- /* setup request flags */
- BACKEND->req_flags = ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT |
- ISC_REQ_CONFIDENTIALITY | ISC_REQ_ALLOCATE_MEMORY |
- ISC_REQ_STREAM;
-
/* allocate memory for the security context handle */
BACKEND->ctxt = (struct Curl_schannel_ctxt *)
calloc(1, sizeof(struct Curl_schannel_ctxt));
d c X'0008'
d CURLSSLOPT_NATIVE_CA...
d c X'0010'
+ d CURLSSLOPT_AUTO_CLIENT_CERT...
+ d c X'0020'
*
d CURL_HET_DEFAULT...
d c 200
revocation list errors */
bool native_ca_store; /* use the native os ca store */
+ bool ssl_auto_client_cert; /* automatically locate and use a client
+ certificate for authentication (Schannel) */
+ bool proxy_ssl_auto_client_cert; /* proxy version of ssl_auto_client_cert */
bool use_metalink; /* process given URLs as metalink XML file */
struct metalinkfile *metalinkfile_list; /* point to the first node */
{"El", "tlspassword", ARG_STRING},
{"Em", "tlsauthtype", ARG_STRING},
{"En", "ssl-allow-beast", ARG_BOOL},
- /* Eo */
+ {"Eo", "ssl-auto-client-cert", ARG_BOOL},
+ {"EO", "proxy-ssl-auto-client-cert", ARG_BOOL},
{"Ep", "pinnedpubkey", ARG_STRING},
{"EP", "proxy-pinnedpubkey", ARG_STRING},
{"Eq", "cert-status", ARG_BOOL},
config->ssl_allow_beast = toggle;
break;
+ case 'o': /* --ssl-auto-client-cert */
+ if(curlinfo->features & CURL_VERSION_SSL)
+ config->ssl_auto_client_cert = toggle;
+ break;
+
+ case 'O': /* --proxy-ssl-auto-client-cert */
+ if(curlinfo->features & CURL_VERSION_SSL)
+ config->proxy_ssl_auto_client_cert = toggle;
+ break;
+
case 'p': /* Pinned public key DER file */
GetStr(&config->pinnedpubkey, nextarg);
break;
{" --proxy-ssl-allow-beast",
"Allow security flaw for interop for HTTPS proxy",
CURLHELP_PROXY | CURLHELP_TLS},
+ {" --proxy-ssl-auto-client-cert",
+ "Use auto client certificate for proxy (Schannel)",
+ CURLHELP_PROXY | CURLHELP_TLS},
{" --proxy-tls13-ciphers <ciphersuite list>",
"TLS 1.3 proxy cipher suites",
CURLHELP_PROXY | CURLHELP_TLS},
{" --ssl-allow-beast",
"Allow security flaw to improve interop",
CURLHELP_TLS},
+ {" --ssl-auto-client-cert",
+ "Use auto client certificate (Schannel)",
+ CURLHELP_TLS},
{" --ssl-no-revoke",
"Disable cert revocation checks (Schannel)",
CURLHELP_TLS},
{
long mask =
- (config->ssl_allow_beast ? CURLSSLOPT_ALLOW_BEAST : 0) |
+ (config->ssl_allow_beast ?
+ CURLSSLOPT_ALLOW_BEAST : 0) |
+ (config->ssl_no_revoke ?
+ CURLSSLOPT_NO_REVOKE : 0) |
(config->ssl_revoke_best_effort ?
CURLSSLOPT_REVOKE_BEST_EFFORT : 0) |
(config->native_ca_store ?
CURLSSLOPT_NATIVE_CA : 0) |
- (config->ssl_no_revoke ? CURLSSLOPT_NO_REVOKE : 0);
+ (config->ssl_auto_client_cert ?
+ CURLSSLOPT_AUTO_CLIENT_CERT : 0);
if(mask)
my_setopt_bitmask(curl, CURLOPT_SSL_OPTIONS, mask);
}
- if(config->proxy_ssl_allow_beast)
- my_setopt(curl, CURLOPT_PROXY_SSL_OPTIONS,
- (long)CURLSSLOPT_ALLOW_BEAST);
+ {
+ long mask =
+ (config->proxy_ssl_allow_beast ?
+ CURLSSLOPT_ALLOW_BEAST : 0) |
+ (config->proxy_ssl_auto_client_cert ?
+ CURLSSLOPT_AUTO_CLIENT_CERT : 0);
+
+ if(mask)
+ my_setopt_bitmask(curl, CURLOPT_PROXY_SSL_OPTIONS, mask);
+ }
}
if(config->path_as_is)
NV(CURLSSLOPT_NO_PARTIALCHAIN),
NV(CURLSSLOPT_REVOKE_BEST_EFFORT),
NV(CURLSSLOPT_NATIVE_CA),
+ NV(CURLSSLOPT_AUTO_CLIENT_CERT),
NVEND,
};
#define setopt_nv_CURLOPT_FTP_SSL_CCC setopt_nv_CURLFTPSSL_CCC
#define setopt_nv_CURLOPT_USE_SSL setopt_nv_CURLUSESSL
#define setopt_nv_CURLOPT_SSL_OPTIONS setopt_nv_CURLSSLOPT
+#define setopt_nv_CURLOPT_PROXY_SSL_OPTIONS setopt_nv_CURLSSLOPT
#define setopt_nv_CURLOPT_NETRC setopt_nv_CURL_NETRC
#define setopt_nv_CURLOPT_PROTOCOLS setopt_nv_CURLPROTO
#define setopt_nv_CURLOPT_REDIR_PROTOCOLS setopt_nv_CURLPROTO
projects / thirdparty / curl.git / commitdiff
