Changelog
+Daniel (30 Aug 2002)
+- Applied an anonymous SOCKS5-proxy patch. Not properly working in all
+ situations though, as all getaddrinfo()-using libcurls will fail on this.
+
+- Fixed up the SSL cert fixes from the other day even more after more inputs
+ from Cris. Added three new error codes to make the CURLE_SSL_CONNECT_ERROR
+ slightly less overloaded.
+
Daniel (27 Aug 2002)
- After lots of talk with Tom Zerucha, Nick Gimbrone and Cris Bailiff I
- decided to talk the bold path and I now introduced the CURLOPT_SSL_INSECURE
- option that needs to be set to TRUE to allow libcurl to connect to SSL sites
- without using a CA certificate to verify it with.
+ decided to talk the bold path and I now made libcurl do CA certificate
+ verification by default. Thus library users need to explicitly turn this off
+ if you want to connect to sites without proper checking. We also install a
+ CA cert bundle on 'make install' now.
- The curl tool similarly requires the -k/--insecure optin in order to allow
+ The curl tool now requires the -k/--insecure option in order to allow
connections and operations on SSL sites that aren't properly verified with
- -cafile or --capath
+ -cafile or --capath.
Daniel (26 Aug 2002)
- Andrew Francis cleaned up some code that now compiles fine without the need
dnl let's not keep "no" as path name, blank it instead
ca=""
else
- AC_DEFINE_UNQUOTED(CURL_CA_BUNDLE, $ca, [CA bundle full path name])
+ AC_DEFINE_UNQUOTED(CURL_CA_BUNDLE, "$ca", [CA bundle full path name])
fi
CURL_CA_BUNDLE="$ca"
CURLE_SEND_ERROR, /* 55 - failed sending network data */
CURLE_RECV_ERROR, /* 56 - failure in receiving network data */
CURLE_SHARE_IN_USE, /* 57 - share is in use */
- CURLE_SSL_INSECURE, /* 58 - connect attempt without certificate
- but SSL_INSECURE not explicitly allowed */
+ CURLE_SSL_CERTPROBLEM, /* 58 - problem with the local certificate */
+ CURLE_SSL_CIPHER, /* 59 - couldn't use specified cipher */
+ CURLE_SSL_CACERT, /* 60 - problem with the CA cert (path?) */
+
CURL_LAST /* never use! */
} CURLcode;
/* Provide a CURLShare for mutexing non-ts data */
CINIT(SHARE, OBJECTPOINT, 100),
- /* Explicitly allow insecure SSL connects */
- CINIT(SSL_INSECURE, LONG, 101),
-
/* indicates type of proxy. accepted values are CURLPROXY_HTTP (default),
CURLPROXY_SOCKS4 and CURLPROXY_SOCKS5. */
- CINIT(PROXYTYPE, LONG, 102),
+ CINIT(PROXYTYPE, LONG, 101),
CURLOPT_LASTENTRY /* the last unused */
} CURLoption;
install-data-hook:
@if test -n "@CURL_CA_BUNDLE@"; then \
+ $(mkinstalldirs) `dirname $(DESTDIR)@CURL_CA_BUNDLE@`; \
@INSTALL_DATA@ ca-bundle.crt $(DESTDIR)@CURL_CA_BUNDLE@; \
fi
data->set.key,
data->set.key_type)) {
/* failf() is already done in cert_stuff() */
- return CURLE_SSL_CONNECT_ERROR;
+ return CURLE_SSL_CERTPROBLEM;
}
}
if (!SSL_CTX_set_cipher_list(conn->ssl.ctx,
data->set.ssl.cipher_list)) {
failf(data, "failed setting cipher list");
- return CURLE_SSL_CONNECT_ERROR;
+ return CURLE_SSL_CIPHER;
}
}
data->set.ssl.CAfile,
data->set.ssl.CApath)) {
failf(data,"error setting cerficate verify locations");
- return CURLE_SSL_CONNECT_ERROR;
+ return CURLE_SSL_CACERT;
}
}
else
#include "ldap.h"
#include "url.h"
#include "connect.h"
+#include "ca-bundle.h"
#include <curl/types.h>
free(data);
return CURLE_OUT_OF_MEMORY;
}
-
+
+ /*
+ * libcurl 7.10 introduces SSL verification *by default*! This needs to be
+ * switched off unless wanted.
+ */
+ data->set.ssl.verifypeer = TRUE;
+ data->set.ssl.verifyhost = 2;
+#ifdef CURL_CA_BUNDLE
+ /* This is our prefered CA cert bundle since install time */
+ data->set.ssl.CAfile = CURL_CA_BUNDLE;
+#endif
+
+
memset(data->state.connects, 0,
sizeof(struct connectdata *)*data->state.numconnects);
*curl = data;
-
return CURLE_OK;
}
}
break;
- case CURLOPT_SSL_INSECURE:
- data->set.ssl.allow_insecure = va_arg(param, long)?TRUE:FALSE;
- break;
-
case CURLOPT_PROXYTYPE:
/*
* Set proxy type. HTTP/SOCKS4/SOCKS5
return CURLE_UNSUPPORTED_PROTOCOL;
}
- if(conn->protocol & PROT_SSL) {
- /* If SSL is requested, require security level info */
-
- if(!data->set.ssl.allow_insecure &&
- !(data->set.ssl.CAfile || data->set.ssl.CApath)) {
- failf(data, "Insecure SSL connect attempted without explicit permission granted");
- return CURLE_SSL_INSECURE;
- }
- }
-
-
/*************************************************************
* Figure out the remote port number
*
char *random_file; /* path to file containing "random" data */
char *egdsocket; /* path to file containing the EGD daemon socket */
char *cipher_list; /* list of ciphers to use */
- bool allow_insecure; /* allow connects without any CA certificate */
-
long numsessions; /* SSL session id cache size */
};
curl_easy_setopt(curl, CURLOPT_SSLKEYPASSWD, config->key_passwd);
if(config->cacert || config->capath) {
- if (config->cacert) curl_easy_setopt(curl, CURLOPT_CAINFO, config->cacert);
- if (config->capath) curl_easy_setopt(curl, CURLOPT_CAPATH, config->capath);
+ if (config->cacert)
+ curl_easy_setopt(curl, CURLOPT_CAINFO, config->cacert);
+
+ if (config->capath)
+ curl_easy_setopt(curl, CURLOPT_CAPATH, config->capath);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2);
}
- else
+ else {
+ if(config->insecure_ok)
+ /* new stuff needed for libcurl 7.10 */
+ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
+
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
+ }
if((config->conf&CONF_NOBODY) ||
config->remote_time) {
}
curl_easy_setopt(curl, CURLOPT_VERBOSE, config->conf&CONF_VERBOSE);
- /* new in curl 7.10 */
- curl_easy_setopt(curl, CURLOPT_SSL_INSECURE, config->insecure_ok);
-
res = curl_easy_perform(curl);
if((config->progressmode == CURL_PROGRESS_BAR) &&
vms_show = VMSSTS_HIDE;
}
#else
- if((res!=CURLE_OK) && config->showerror) {
- switch(res) {
- case CURLE_SSL_INSECURE:
- /* Since this breaks how curl used to work, we need a slightly more
- verbose and descriptive error here to educate people what is
- happening and what to do to make it work. At least for a
- while. */
- fprintf(config->errors, "curl: (%d) %s\n%s", res,
- errorbuffer,
- " Since SSL doesn't offer any true security if you don't use a CA\n"
- " certificate to verify the peer certificate with, you must either\n"
- " provide one to make sure that the server really is the server you\n"
- " think it is, or you must explicitly tell curl that insecure SSL\n"
- " connects are fine.\n"
- " Allow insecure SSL operations with -k/--insecure\n"
- );
- break;
- default:
- fprintf(config->errors, "curl: (%d) %s\n", res, errorbuffer);
- break;
- }
- }
+ if((res!=CURLE_OK) && config->showerror)
+ fprintf(config->errors, "curl: (%d) %s\n", res, errorbuffer);
#endif
if (outfile && !strequal(outfile, "-") && outs.stream)
projects / thirdparty / curl.git / commitdiff
