From: Jay Satiro Date: Mon, 22 Jun 2020 16:01:32 +0000 (-0400) Subject: openssl: Don't ignore CA paths when using Windows CA store X-Git-Tag: curl-7_71_0~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=abbc5d60;p=thirdparty%2Fcurl.git openssl: Don't ignore CA paths when using Windows CA store This commit changes the behavior of CURLSSLOPT_NATIVE_CA so that it does not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default locations. Instead the CA store can now be used at the same time. The change is due to the impending release. The issue is still being discussed. The behavior of CURLSSLOPT_NATIVE_CA is subject to change and is now documented as experimental. Ref: bc052cc (parent commit) Ref: https://github.com/curl/curl/issues/5585 --- diff --git a/docs/EXPERIMENTAL.md b/docs/EXPERIMENTAL.md index 34974fba81..bca2bd910a 100644 --- a/docs/EXPERIMENTAL.md +++ b/docs/EXPERIMENTAL.md @@ -21,3 +21,4 @@ Experimental support in curl means: - HTTP/3 support and options - alt-svc support and options - MQTT + - CURLSSLOPT_NATIVE_CA (No configure option, feature built in when supported) diff --git a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 index 52b2817e9d..1b8e412671 100644 --- a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 +++ b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 @@ -57,8 +57,9 @@ library). If combined with \fICURLSSLOPT_NO_REVOKE\fP, the latter takes precedence. (Added in 7.70.0) .IP CURLSSLOPT_NATIVE_CA Tell libcurl to use the operating system's native CA store for certificate -verifiction. Works only on Windows when built to use OpenSSL. This option -overrides \fICURLOPT_CAINFO(3)\fP if both are set. (Added in 7.71.0) +verification. Works only on Windows when built to use OpenSSL. This option is +experimental and behavior is subject to change. +(Added in 7.71.0) .SH DEFAULT 0 .SH PROTOCOLS diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 897ca6880f..790d35862a 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2488,6 +2488,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); char error_buffer[256]; struct ssl_backend_data *backend = connssl->backend; + bool imported_native_ca = false; DEBUGASSERT(ssl_connect_1 == connssl->connecting_state); @@ -2940,9 +2941,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) if(X509_STORE_add_cert(store, x509) == 1) { #if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS) infof(data, "SSL: Imported cert \"%s\"\n", cert_name); -#else - do {} while(0); #endif + imported_native_ca = true; } X509_free(x509); } @@ -2953,16 +2953,12 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) if(result) return result; - - infof(data, "successfully set certificate verify locations " - "to windows ca store\n"); - } - else { - infof(data, "error setting certificate verify locations " - "to windows ca store, continuing anyway\n"); } + if(imported_native_ca) + infof(data, "successfully imported windows ca store\n"); + else + infof(data, "error importing windows ca store, continuing anyway\n"); } - else #endif #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) @@ -2998,7 +2994,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) /* tell SSL where to find CA certificates that are used to verify the servers certificate. */ if(!SSL_CTX_load_verify_locations(backend->ctx, ssl_cafile, ssl_capath)) { - if(verifypeer) { + if(verifypeer && !imported_native_ca) { /* Fail if we insist on successfully verifying the server. */ failf(data, "error setting certificate verify locations:\n" " CAfile: %s\n CApath: %s", @@ -3006,7 +3002,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) ssl_capath ? ssl_capath : "none"); return CURLE_SSL_CACERT_BADFILE; } - /* Just continue with a warning if no strict certificate verification + /* Just continue with a warning if no strict certificate verification is required. */ infof(data, "error setting certificate verify locations," " continuing anyway:\n"); @@ -3024,7 +3020,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) #endif #ifdef CURL_CA_FALLBACK - if(verifypeer && !ssl_cafile && !ssl_capath) { + if(verifypeer && !ssl_cafile && !ssl_capath && !imported_native_ca) { /* verifying the peer without any CA certificates won't work so use openssl's built in default as fallback */ SSL_CTX_set_default_verify_paths(backend->ctx);