From: Jan Venekamp <1422460+jan2000@users.noreply.github.com> Date: Mon, 5 Aug 2024 22:09:36 +0000 (+0200) Subject: curl: warn on unsupported SSL options X-Git-Tag: curl-8_10_0~349 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1b25448760a3740889044caf66aeb1de3832edb4;p=thirdparty%2Fcurl.git curl: warn on unsupported SSL options Closes #14406 --- diff --git a/src/tool_operate.c b/src/tool_operate.c index c3bd3f3743..864ec959b7 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c @@ -951,6 +951,7 @@ static CURLcode single_transfer(struct GlobalConfig *global, urlnum = state->urlnum; if(state->up < state->infilenum) { + char ssl_ver[80] = "no ssl"; struct per_transfer *per = NULL; struct OutStruct *outs; struct OutStruct *heads; @@ -1660,6 +1661,14 @@ static CURLcode single_transfer(struct GlobalConfig *global, my_setopt(curl, CURLOPT_SSH_COMPRESSION, 1L); } + { + /* get current SSL backend, chop off multissl */ + const char *v = curl_version_info(CURLVERSION_NOW)->ssl_version; + if(v) + msnprintf(ssl_ver, sizeof(ssl_ver), + "%.*s", (int) strcspn(v, " "), v); + } + if(config->cacert) my_setopt_str(curl, CURLOPT_CAINFO, config->cacert); if(config->proxy_cacert) @@ -1668,9 +1677,10 @@ static CURLcode single_transfer(struct GlobalConfig *global, if(config->capath) { result = res_setopt_str(curl, CURLOPT_CAPATH, config->capath); if(result == CURLE_NOT_BUILT_IN) { - warnf(global, "ignoring %s, not supported by libcurl", - capath_from_env? - "SSL_CERT_DIR environment variable":"--capath"); + warnf(global, "ignoring %s, not supported by libcurl with %s", + capath_from_env ? + "SSL_CERT_DIR environment variable" : "--capath", + ssl_ver); } else if(result) break; @@ -1685,8 +1695,10 @@ static CURLcode single_transfer(struct GlobalConfig *global, if((result == CURLE_NOT_BUILT_IN) || (result == CURLE_UNKNOWN_OPTION)) { if(config->proxy_capath) { - warnf(global, - "ignoring --proxy-capath, not supported by libcurl"); + warnf(global, "ignoring %s, not supported by libcurl with %s", + config->proxy_capath ? + "--proxy-capath" : "--capath", + ssl_ver); } } else if(result) @@ -1704,8 +1716,8 @@ static CURLcode single_transfer(struct GlobalConfig *global, blob.len); result = curl_easy_setopt(curl, CURLOPT_CAINFO_BLOB, &blob); if(result == CURLE_NOT_BUILT_IN) { - warnf(global, - "ignoring embedded CA bundle, not supported by libcurl"); + warnf(global, "ignoring %s, not supported by libcurl with %s", + "embedded CA bundle", ssl_ver); } } if(!config->proxy_cacert && !config->proxy_capath) { @@ -1718,8 +1730,8 @@ static CURLcode single_transfer(struct GlobalConfig *global, blob.len); result = curl_easy_setopt(curl, CURLOPT_PROXY_CAINFO_BLOB, &blob); if(result == CURLE_NOT_BUILT_IN) { - warnf(global, - "ignoring embedded CA bundle, not supported by libcurl"); + warnf(global, "ignoring %s, not supported by libcurl with %s", + "embedded CA bundle", ssl_ver); } } #endif @@ -1731,8 +1743,13 @@ static CURLcode single_transfer(struct GlobalConfig *global, else if(config->crlfile) /* CURLOPT_PROXY_CRLFILE default is crlfile */ my_setopt_str(curl, CURLOPT_PROXY_CRLFILE, config->crlfile); - if(config->pinnedpubkey) - my_setopt_str(curl, CURLOPT_PINNEDPUBLICKEY, config->pinnedpubkey); + if(config->pinnedpubkey) { + result = res_setopt_str(curl, CURLOPT_PINNEDPUBLICKEY, + config->pinnedpubkey); + if(result == CURLE_NOT_BUILT_IN) + warnf(global, "ignoring %s, not supported by libcurl with %s", + "--pinnedpubkey", ssl_ver); + } if(config->ssl_ec_curves) my_setopt_str(curl, CURLOPT_SSL_EC_CURVES, config->ssl_ec_curves); @@ -2049,19 +2066,34 @@ static CURLcode single_transfer(struct GlobalConfig *global, if(config->doh_url) my_setopt_str(curl, CURLOPT_DOH_URL, config->doh_url); - if(config->cipher_list) - my_setopt_str(curl, CURLOPT_SSL_CIPHER_LIST, config->cipher_list); - - if(config->proxy_cipher_list) - my_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST, - config->proxy_cipher_list); - - if(config->cipher13_list) - my_setopt_str(curl, CURLOPT_TLS13_CIPHERS, config->cipher13_list); - - if(config->proxy_cipher13_list) - my_setopt_str(curl, CURLOPT_PROXY_TLS13_CIPHERS, - config->proxy_cipher13_list); + if(config->cipher_list) { + result = res_setopt_str(curl, CURLOPT_SSL_CIPHER_LIST, + config->cipher_list); + if(result == CURLE_NOT_BUILT_IN) + warnf(global, "ignoring %s, not supported by libcurl with %s", + "--ciphers", ssl_ver); + } + if(config->proxy_cipher_list) { + result = res_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST, + config->proxy_cipher_list); + if(result == CURLE_NOT_BUILT_IN) + warnf(global, "ignoring %s, not supported by libcurl with %s", + "--proxy-ciphers", ssl_ver); + } + if(config->cipher13_list) { + result = res_setopt_str(curl, CURLOPT_TLS13_CIPHERS, + config->cipher13_list); + if(result == CURLE_NOT_BUILT_IN) + warnf(global, "ignoring %s, not supported by libcurl with %s", + "--tls13-ciphers", ssl_ver); + } + if(config->proxy_cipher13_list) { + result = res_setopt_str(curl, CURLOPT_PROXY_TLS13_CIPHERS, + config->proxy_cipher13_list); + if(result == CURLE_NOT_BUILT_IN) + warnf(global, "ignoring %s, not supported by libcurl with %s", + "--proxy-tls13-ciphers", ssl_ver); + } /* new in libcurl 7.9.2: */ if(config->disable_epsv)