}
(void)curl_easy_setopt(doh, CURLOPT_SSL_OPTIONS,
- (long)data->set.ssl.primary.ssl_options);
+ ((long)data->set.ssl.primary.ssl_options &
+ ~CURLSSLOPT_AUTO_CLIENT_CERT));
doh->state.internal = TRUE;
doh->master_mid = data->mid; /* master transfer of this one */
}
#endif /* !CURL_DISABLE_RTSP */
-#ifdef USE_SSL
-static void set_ssl_options(struct ssl_config_data *ssl,
- struct ssl_primary_config *config,
- long arg)
-{
- config->ssl_options = (unsigned char)(arg & 0xff);
- ssl->enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);
- ssl->no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
- ssl->no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
- ssl->revoke_best_effort = !!(arg & CURLSSLOPT_REVOKE_BEST_EFFORT);
- ssl->native_ca_store = !!(arg & CURLSSLOPT_NATIVE_CA);
- ssl->auto_client_cert = !!(arg & CURLSSLOPT_AUTO_CLIENT_CERT);
- ssl->earlydata = !!(arg & CURLSSLOPT_EARLYDATA);
-}
-#endif
-
static CURLcode setopt_long_bool(struct Curl_easy *data, CURLoption option,
long arg)
{
s->use_ssl = (unsigned char)arg;
break;
case CURLOPT_SSL_OPTIONS:
- set_ssl_options(&s->ssl, &s->ssl.primary, arg);
+ s->ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
break;
#ifndef CURL_DISABLE_PROXY
case CURLOPT_PROXY_SSL_OPTIONS:
- set_ssl_options(&s->proxy_ssl, &s->proxy_ssl.primary, arg);
+ s->proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
break;
#endif
case CURLOPT_SSL_ENABLE_NPN:
return TRUE;
}
+static void ssl_easy_config_compl_options(struct Curl_peer *origin,
+ struct Curl_peer *initial_origin,
+ struct ssl_config_data *sslc)
+{
+ uint8_t options = sslc->primary.ssl_options;
+ /* If set via CURLOPT_(PROXY_)SSL_OPTIONS, we definitely use it.
+ * If not, we switch it on for supported backends if no custom
+ * ca settings exist. */
+ sslc->native_ca_store = !!(options & CURLSSLOPT_NATIVE_CA);
+ sslc->enable_beast = !!(options & CURLSSLOPT_ALLOW_BEAST);
+ sslc->no_partialchain = !!(options & CURLSSLOPT_NO_PARTIALCHAIN);
+ sslc->no_revoke = !!(options & CURLSSLOPT_NO_REVOKE);
+ sslc->revoke_best_effort = !!(options & CURLSSLOPT_REVOKE_BEST_EFFORT);
+ sslc->earlydata = !!(options & CURLSSLOPT_EARLYDATA);
+
+ sslc->auto_client_cert = Curl_peer_equal(origin, initial_origin) &&
+ !!(options & CURLSSLOPT_AUTO_CLIENT_CERT);
+}
+
CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data,
struct Curl_peer *origin)
{
CURLcode result;
#endif
+ ssl_easy_config_compl_options(origin, data->state.initial_origin, sslc);
+
if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) {
#if defined(USE_APPLE_SECTRUST) || defined(CURL_CA_NATIVE)
if(!sslc->custom_capath && !sslc->custom_cafile && !sslc->custom_cablob)
#ifndef CURL_DISABLE_PROXY
sslc = &data->set.proxy_ssl;
+ /* no initial origin for proxy, it is not changed for redirects */
+ ssl_easy_config_compl_options(NULL, NULL, sslc);
+
if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) {
#if defined(USE_APPLE_SECTRUST) || defined(CURL_CA_NATIVE)
if(!sslc->custom_capath && !sslc->custom_cafile && !sslc->custom_cablob)
projects / thirdparty / curl.git / commitdiff
