From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 10 May 2022 09:09:47 +0000 (+0200)
Subject: quiche: support ca-fallback
X-Git-Tag: curl-7_84_0~212
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fdb5e21b4dd171a96cf7c002ee77bb08f8e58021;p=thirdparty%2Fcurl.git

quiche: support ca-fallback

Follow-up to b01f3e679f4c1ea3 which added this for ngtcp2/openssl

Removed from KNOWN_BUGS

Fixes #8696
Closes #8830
---

diff --git a/docs/KNOWN_BUGS b/docs/KNOWN_BUGS
index 983b81420a..0cdda075aa 100644
--- a/docs/KNOWN_BUGS
+++ b/docs/KNOWN_BUGS
@@ -159,7 +159,6 @@ problems may have been fixed or changed somewhat since this was written.
  18. HTTP/3
  18.1 If the HTTP/3 server closes connection during upload curl hangs
  18.2 Transfer closed with n bytes remaining to read
- 18.3 configure --with-ca-fallback is not supported by h3
  18.4 timeout when reusing a http3 connection
  18.9 connection migration does not work
 
@@ -1126,10 +1125,6 @@ problems may have been fixed or changed somewhat since this was written.
 
  https://github.com/curl/curl/issues/8523
 
-18.3 configure --with-ca-fallback is not supported by h3
-
- https://github.com/curl/curl/issues/8696
-
 18.4 timeout when reusing a http3 connection
 
  HTTP/3 with quiche seems to not work and always timeout a subsequent transfer
diff --git a/lib/vquic/quiche.c b/lib/vquic/quiche.c
index bfdc966a85..e4bea4d677 100644
--- a/lib/vquic/quiche.c
+++ b/lib/vquic/quiche.c
@@ -201,23 +201,31 @@ static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data)
 
   {
     struct connectdata *conn = data->conn;
-    const char * const ssl_cafile = conn->ssl_config.CAfile;
-    const char * const ssl_capath = conn->ssl_config.CApath;
-
     if(conn->ssl_config.verifypeer) {
-      SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
-      /* tell OpenSSL where to find CA certificates that are used to verify
-         the server's certificate. */
-      if(!SSL_CTX_load_verify_locations(ssl_ctx, ssl_cafile, ssl_capath)) {
-        /* Fail if we insist on successfully verifying the server. */
-        failf(data, "error setting certificate verify locations:"
-              "  CAfile: %s CApath: %s",
-              ssl_cafile ? ssl_cafile : "none",
-              ssl_capath ? ssl_capath : "none");
-        return NULL;
+      const char * const ssl_cafile = conn->ssl_config.CAfile;
+      const char * const ssl_capath = conn->ssl_config.CApath;
+      if(ssl_cafile || ssl_capath) {
+        SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
+        /* tell OpenSSL where to find CA certificates that are used to verify
+           the server's certificate. */
+        if(!SSL_CTX_load_verify_locations(ssl_ctx, ssl_cafile, ssl_capath)) {
+          /* Fail if we insist on successfully verifying the server. */
+          failf(data, "error setting certificate verify locations:"
+                "  CAfile: %s CApath: %s",
+                ssl_cafile ? ssl_cafile : "none",
+                ssl_capath ? ssl_capath : "none");
+          return NULL;
+        }
+        infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");
+        infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none");
       }
-      infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");
-      infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none");
+#ifdef CURL_CA_FALLBACK
+      else {
+        /* verifying the peer without any CA certificates won't work so
+           use openssl's built-in default as fallback */
+        SSL_CTX_set_default_verify_paths(ssl_ctx);
+      }
+#endif
     }
   }
   return ssl_ctx;