.\" *
.\" **************************************************************************
.\"
-.TH CURLINFO_PROXY_SSL_VERIFYRESULT 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_getinfo options"
+.TH CURLINFO_PROXY_SSL_VERIFYRESULT 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_getinfo options"
.SH NAME
CURLINFO_PROXY_SSL_VERIFYRESULT \- get the result of the proxy certification verification
.SH SYNOPSIS
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_CAINFO 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_CAINFO 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_CAINFO \- path to proxy Certificate Authority (CA) bundle
.SH SYNOPSIS
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_CAPATH 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_CAPATH 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_CAPATH \- specify directory holding proxy CA certificates
.SH SYNOPSIS
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_CRLFILE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_CRLFILE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_CRLFILE \- specify a proxy Certificate Revocation List file
.SH SYNOPSIS
All TLS-based protocols
.SH EXAMPLE
TODO
-.SH AVAILABILITY
-Added in 7.51.1
.SH RETURN VALUE
Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or
CURLE_OUT_OF_MEMORY if there was insufficient heap space.
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_KEYPASSWD 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_KEYPASSWD 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_KEYPASSWD \- set passphrase to proxy private key
.SH SYNOPSIS
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_SSLCERT 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_SSLCERT 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSLCERT \- set SSL proxy client certificate
.SH SYNOPSIS
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_SSLCERTTYPE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_SSLCERTTYPE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSLCERTTYPE \- specify type of the proxy client SSL certificate
.SH SYNOPSIS
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_SSLKEY 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_SSLKEY 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSLKEY \- specify private keyfile for TLS and SSL proxy client cert
.SH SYNOPSIS
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_SSLKEYTYPE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_SSLKEYTYPE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSLKEYTYPE \- set type of the proxy private key file
.SH SYNOPSIS
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_SSLVERSION 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_SSLVERSION 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSLVERSION \- set proxy preferred TLS/SSL version
.SH SYNOPSIS
.IP CURL_SSLVERSION_TLSv1_2
TLSv1.2 (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_3
-TLSv1.3 (Added in 7.51.1)
+TLSv1.3 (Added in 7.52.0)
.RE
.SH DEFAULT
CURL_SSLVERSION_DEFAULT
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_SSL_CIPHER_LIST 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_SSL_CIPHER_LIST 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSL_CIPHER_LIST \- specify ciphers to use for proxy TLS
.SH SYNOPSIS
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_SSL_OPTIONS 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_SSL_OPTIONS 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSL_OPTIONS \- set proxy SSL behavior options
.SH SYNOPSIS
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_SSL_VERIFYHOST 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_SSL_VERIFYHOST 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSL_VERIFYHOST \- verify the proxy certificate's name against host
.SH SYNOPSIS
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_SSL_VERIFYPEER 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_SSL_VERIFYPEER 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSL_VERIFYPEER \- verify the proxy peer's SSL certificate
.SH SYNOPSIS
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_TLSAUTH_PASSWORD 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_TLSAUTH_PASSWORD 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_TLSAUTH_PASSWORD \- password to use for proxy TLS authentication
.SH SYNOPSIS
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_TLSAUTH_TYPE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_TLSAUTH_TYPE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_TLSAUTH_TYPE \- set proxy TLS authentication methods
.SH SYNOPSIS
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_TLSAUTH_USERNAME 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_TLSAUTH_USERNAME 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_TLSAUTH_USERNAME \- user name to use for proxy TLS authentication
.SH SYNOPSIS
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_SOCKS_PROXY 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_SOCKS_PROXY 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_SOCKS_PROXY \- set socks proxy to use
.SH SYNOPSIS
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_SOCKS_PROXYTYPE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_SOCKS_PROXYTYPE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_SOCKS_PROXYTYPE \- socks proxy protocol type
.SH SYNOPSIS
CURLINFO_PRIMARY_PORT 7.21.0
CURLINFO_PRIVATE 7.10.3
CURLINFO_PROXYAUTH_AVAIL 7.10.8
-CURLINFO_PROXY_SSL_VERIFYRESULT 7.51.1
+CURLINFO_PROXY_SSL_VERIFYRESULT 7.52.0
CURLINFO_REDIRECT_COUNT 7.9.7
CURLINFO_REDIRECT_TIME 7.9.7
CURLINFO_REDIRECT_URL 7.18.2
CURLOPT_PROXYTYPE 7.10
CURLOPT_PROXYUSERNAME 7.19.1
CURLOPT_PROXYUSERPWD 7.1
-CURLOPT_PROXY_CAINFO 7.51.1
-CURLOPT_PROXY_CAPATH 7.51.1
-CURLOPT_PROXY_CRLFILE 7.51.1
-CURLOPT_PROXY_KEYPASSWD 7.51.1
+CURLOPT_PROXY_CAINFO 7.52.0
+CURLOPT_PROXY_CAPATH 7.52.0
+CURLOPT_PROXY_CRLFILE 7.52.0
+CURLOPT_PROXY_KEYPASSWD 7.52.0
CURLOPT_PROXY_SERVICE_NAME 7.43.0
-CURLOPT_PROXY_SSLCERT 7.51.1
-CURLOPT_PROXY_SSLCERTTYPE 7.51.1
-CURLOPT_PROXY_SSLKEY 7.51.1
-CURLOPT_PROXY_SSLKEYTYPE 7.51.1
-CURLOPT_PROXY_SSLVERSION 7.51.1
-CURLOPT_PROXY_SSL_CIPHER_LIST 7.51.1
-CURLOPT_PROXY_SSL_OPTIONS 7.51.1
-CURLOPT_PROXY_SSL_VERIFYHOST 7.51.1
-CURLOPT_PROXY_SSL_VERIFYPEER 7.51.1
-CURLOPT_PROXY_TLSAUTH_PASSWORD 7.51.1
-CURLOPT_PROXY_TLSAUTH_TYPE 7.51.1
-CURLOPT_PROXY_TLSAUTH_USERNAME 7.51.1
+CURLOPT_PROXY_SSLCERT 7.52.0
+CURLOPT_PROXY_SSLCERTTYPE 7.52.0
+CURLOPT_PROXY_SSLKEY 7.52.0
+CURLOPT_PROXY_SSLKEYTYPE 7.52.0
+CURLOPT_PROXY_SSLVERSION 7.52.0
+CURLOPT_PROXY_SSL_CIPHER_LIST 7.52.0
+CURLOPT_PROXY_SSL_OPTIONS 7.52.0
+CURLOPT_PROXY_SSL_VERIFYHOST 7.52.0
+CURLOPT_PROXY_SSL_VERIFYPEER 7.52.0
+CURLOPT_PROXY_TLSAUTH_PASSWORD 7.52.0
+CURLOPT_PROXY_TLSAUTH_TYPE 7.52.0
+CURLOPT_PROXY_TLSAUTH_USERNAME 7.52.0
CURLOPT_PROXY_TRANSFER_MODE 7.18.0
CURLOPT_PUT 7.1
CURLOPT_QUOTE 7.1
CURLOPT_SOCKOPTFUNCTION 7.16.0
CURLOPT_SOCKS5_GSSAPI_NEC 7.19.4
CURLOPT_SOCKS5_GSSAPI_SERVICE 7.19.4 7.49.0
-CURLOPT_SOCKS_PROXY 7.51.1
-CURLOPT_SOCKS_PROXYTYPE 7.51.1
+CURLOPT_SOCKS_PROXY 7.52.0
+CURLOPT_SOCKS_PROXYTYPE 7.52.0
CURLOPT_SOURCE_HOST 7.12.1 - 7.15.5
CURLOPT_SOURCE_PATH 7.12.1 - 7.15.5
CURLOPT_SOURCE_PORT 7.12.1 - 7.15.5
CURLPROTO_TFTP 7.19.4
CURLPROXY_HTTP 7.10
CURLPROXY_HTTP_1_0 7.19.4
-CURLPROXY_HTTPS 7.51.1
+CURLPROXY_HTTPS 7.52.0
CURLPROXY_SOCKS4 7.10
CURLPROXY_SOCKS4A 7.18.0
CURLPROXY_SOCKS5 7.10
size_t len = 0;
saslstate state1 = SASL_STOP;
saslstate state2 = SASL_FINAL;
+ const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ conn->host.name;
+ const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
#if defined(USE_KERBEROS5)
const char* service = data->set.str[STRING_SERVICE_NAME] ?
data->set.str[STRING_SERVICE_NAME] :
if(force_ir || data->set.sasl_ir)
result = Curl_auth_create_oauth_bearer_message(data, conn->user,
- conn->host.name,
- conn->port,
+ hostname,
+ port,
conn->oauth_bearer,
&resp, &len);
}
struct Curl_easy *data = conn->data;
saslstate newstate = SASL_FINAL;
char *resp = NULL;
+ const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ conn->host.name;
+ const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
#if !defined(CURL_DISABLE_CRYPTO_AUTH)
char *serverdata;
char *chlg = NULL;
/* Create the authorisation message */
if(sasl->authused == SASL_MECH_OAUTHBEARER) {
result = Curl_auth_create_oauth_bearer_message(data, conn->user,
- conn->host.name,
- conn->port,
+ hostname,
+ port,
conn->oauth_bearer,
&resp, &len);
}
return result;
#else
+ (void) conn;
+ (void) sockindex;
return CURLE_NOT_BUILT_IN;
#endif
}
if(!numsocks)
return GETSOCK_BLANK;
+#ifdef USE_SSL
if(CONNECT_FIRSTSOCKET_PROXY_SSL())
return Curl_ssl_getsock(conn, sock, numsocks);
+#endif
for(i=0; i<2; i++) {
if(conn->tempsock[i] != CURL_SOCKET_BAD) {
CURLcode Curl_connected_proxy(struct connectdata *conn, int sockindex)
{
CURLcode result = CURLE_OK;
- /* if(!conn->bits.proxy || sockindex) */
- /* this magic only works for the primary socket as the secondary is used
- for FTP only and it has FTP specific magic in ftp.c */
- /* return CURLE_OK; */
if(conn->bits.socksproxy) {
#ifndef CURL_DISABLE_PROXY
result = CURLE_COULDNT_CONNECT;
} /* switch proxytype */
conn->bits.socksproxy_connecting = FALSE;
+#else
+ (void)sockindex;
#endif /* CURL_DISABLE_PROXY */
}
struct Curl_easy *data = conn->data;
curl_socket_t sockfd = conn->sock[sockindex];
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
+ const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
+ char * const ssl_cert = SSL_SET_OPTION(cert);
+ const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ conn->host.name;
+ const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
#ifdef ENABLE_IPV6
struct in6_addr addr;
#else
}
#endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */
- if(data->set.str[STRING_KEY_ORIG]) {
+ if(SSL_SET_OPTION(key)) {
infof(data, "WARNING: SSL: CURLOPT_SSLKEY is ignored by Secure "
"Transport. The private key must be in the Keychain.\n");
}
- if(data->set.str[STRING_CERT_ORIG]) {
+ if(ssl_cert) {
SecIdentityRef cert_and_key = NULL;
- bool is_cert_file = is_file(data->set.str[STRING_CERT_ORIG]);
+ bool is_cert_file = is_file(ssl_cert);
/* User wants to authenticate with a client cert. Look for it:
If we detect that this is a file on disk, then let's load it.
Otherwise, assume that the user wants to use an identity loaded
from the Keychain. */
if(is_cert_file) {
- if(!data->set.ssl.cert_type)
+ if(!SSL_SET_OPTION(cert_type))
infof(data, "WARNING: SSL: Certificate type not set, assuming "
- "PKCS#12 format.\n");
- else if(strncmp(data->set.ssl.cert_type, "P12",
- strlen(data->set.ssl.cert_type)))
+ "PKCS#12 format.\n");
+ else if(strncmp(SSL_SET_OPTION(cert_type), "P12",
+ strlen(SSL_SET_OPTION(cert_type))) != 0)
infof(data, "WARNING: SSL: The Security framework only supports "
- "loading identities that are in PKCS#12 format.\n");
- err = CopyIdentityFromPKCS12File(data->set.str[STRING_CERT_ORIG],
- data->set.ssl.key_passwd,
- &cert_and_key);
+ "loading identities that are in PKCS#12 format.\n");
+
+ err = CopyIdentityFromPKCS12File(ssl_cert,
+ SSL_SET_OPTION(key_passwd), &cert_and_key);
}
else
- err = CopyIdentityWithLabel(data->set.str[STRING_CERT_ORIG],
- &cert_and_key);
+ err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);
if(err == noErr) {
SecCertificateRef cert = NULL;
switch(err) {
case errSecAuthFailed: case -25264: /* errSecPkcs12VerifyFailure */
failf(data, "SSL: Incorrect password for the certificate \"%s\" "
- "and its private key.", data->set.str[STRING_CERT_ORIG]);
+ "and its private key.", ssl_cert);
break;
case -26275: /* errSecDecode */ case -25257: /* errSecUnknownFormat */
failf(data, "SSL: Couldn't make sense of the data in the "
- "certificate \"%s\" and its private key.",
- data->set.str[STRING_CERT_ORIG]);
+ "certificate \"%s\" and its private key.",
+ ssl_cert);
break;
case -25260: /* errSecPassphraseRequired */
failf(data, "SSL The certificate \"%s\" requires a password.",
- data->set.str[STRING_CERT_ORIG]);
+ ssl_cert);
break;
case errSecItemNotFound:
failf(data, "SSL: Can't find the certificate \"%s\" and its private "
- "key in the Keychain.", data->set.str[STRING_CERT_ORIG]);
+ "key in the Keychain.", ssl_cert);
break;
default:
failf(data, "SSL: Can't load the certificate \"%s\" and its private "
- "key: OSStatus %d", data->set.str[STRING_CERT_ORIG], err);
+ "key: OSStatus %d", ssl_cert, err);
break;
}
return CURLE_SSL_CERTPROBLEM;
#else
if(SSLSetSessionOption != NULL) {
#endif /* CURL_BUILD_MAC */
- bool break_on_auth = !conn->ssl_config.verifypeer ||
- data->set.str[STRING_SSL_CAFILE_ORIG];
+ bool break_on_auth = !conn->ssl_config.verifypeer || ssl_cafile;
err = SSLSetSessionOption(connssl->ssl_ctx,
kSSLSessionOptionBreakOnServerAuth,
break_on_auth);
}
#endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */
- if(data->set.str[STRING_SSL_CAFILE_ORIG]) {
- bool is_cert_file = is_file(data->set.str[STRING_SSL_CAFILE_ORIG]);
+ if(ssl_cafile) {
+ bool is_cert_file = is_file(ssl_cafile);
if(!is_cert_file) {
- failf(data, "SSL: can't load CA certificate file %s",
- data->set.str[STRING_SSL_CAFILE_ORIG]);
+ failf(data, "SSL: can't load CA certificate file %s", ssl_cafile);
return CURLE_SSL_CACERT_BADFILE;
}
- if(!data->set.ssl.primary.verifypeer) {
+ if(!verifypeer) {
failf(data, "SSL: CA certificate set, but certificate verification "
"is disabled");
return CURLE_SSL_CONNECT_ERROR;
* Both hostname check and SNI require SSLSetPeerDomainName().
* Also: the verifyhost setting influences SNI usage */
if(conn->ssl_config.verifyhost) {
- err = SSLSetPeerDomainName(connssl->ssl_ctx, conn->host.name,
- strlen(conn->host.name));
+ err = SSLSetPeerDomainName(connssl->ssl_ctx, hostname,
+ strlen(hostname));
if(err != noErr) {
infof(data, "WARNING: SSL: SSLSetPeerDomainName() failed: OSStatus %d\n",
err);
}
- if((Curl_inet_pton(AF_INET, conn->host.name, &addr))
+ if((Curl_inet_pton(AF_INET, hostname, &addr))
#ifdef ENABLE_IPV6
- || (Curl_inet_pton(AF_INET6, conn->host.name, &addr))
+ || (Curl_inet_pton(AF_INET6, hostname, &addr))
#endif
) {
infof(data, "WARNING: using IP address, SNI is being disabled by "
else {
CURLcode result;
ssl_sessionid =
- aprintf("%s:%d:%d:%s:%hu", data->set.str[STRING_SSL_CAFILE_ORIG],
- data->set.ssl.primary.verifypeer,
- data->set.ssl.primary.verifyhost,
- conn->host.name, conn->remote_port);
+ aprintf("%s:%d:%d:%s:%hu", ssl_cafile,
+ verifypeer, SSL_CONN_CONFIG(verifyhost), hostname, port);
ssl_sessionid_len = strlen(ssl_sessionid);
err = SSLSetPeerID(connssl->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
OSStatus err;
SSLCipherSuite cipher;
SSLProtocol protocol = 0;
+ const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ conn->host.name;
DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
|| ssl_connect_2_reading == connssl->connecting_state
/* The below is errSSLServerAuthCompleted; it's not defined in
Leopard's headers */
case -9841:
- if(data->set.str[STRING_SSL_CAFILE_ORIG]) {
- int res = verify_cert(data->set.str[STRING_SSL_CAFILE_ORIG], data,
+ if(SSL_CONN_CONFIG(CAfile)) {
+ int res = verify_cert(SSL_CONN_CONFIG(CAfile), data,
connssl->ssl_ctx);
if(res != CURLE_OK)
return res;
return CURLE_SSL_CONNECT_ERROR;
default:
failf(data, "Unknown SSL protocol error in connection to %s:%d",
- conn->host.name, err);
+ hostname, err);
return CURLE_SSL_CONNECT_ERROR;
}
}
}
/* Determine which SSL/TLS version should be enabled. */
- sni = conn->host.name;
+ sni = hostname;
switch (ssl_version) {
case CURL_SSLVERSION_SSLv2:
protoflags = CURL_GSKPROTO_SSLV2_MASK;
#ifdef CURL_CA_FALLBACK
/* use system ca certificate store as fallback */
- if(data->set.ssl.verifypeer &&
- !(data->set.ssl.CAfile || data->set.ssl.CApath)) {
+ if(SSL_CONN_CONFIG(verifypeer) &&
+ !(SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(CApath))) {
gnutls_certificate_set_x509_system_trust(conn->ssl[sockindex].cred);
}
#endif
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data* connssl = &conn->ssl[sockindex];
+ const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
+ const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
+ const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
+ char * const ssl_cert = SSL_SET_OPTION(cert);
+ const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
+ const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ conn->host.name;
+ const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
int ret = -1;
char errorbuf[128];
errorbuf[0]=0;
/* mbedTLS only supports SSLv3 and TLSv1 */
- if(data->set.ssl.primary.version == CURL_SSLVERSION_SSLv2) {
+ if(SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv2) {
failf(data, "mbedTLS does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
}
/* Load the trusted CA */
mbedtls_x509_crt_init(&connssl->cacert);
- if(data->set.str[STRING_SSL_CAFILE_ORIG]) {
- ret = mbedtls_x509_crt_parse_file(&connssl->cacert,
- data->set.str[STRING_SSL_CAFILE_ORIG]);
+ if(ssl_cafile) {
+ ret = mbedtls_x509_crt_parse_file(&connssl->cacert, ssl_cafile);
if(ret<0) {
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* MBEDTLS_ERROR_C */
failf(data, "Error reading ca cert file %s - mbedTLS: (-0x%04X) %s",
- data->set.str[STRING_SSL_CAFILE_ORIG], -ret, errorbuf);
+ ssl_cafile, -ret, errorbuf);
- if(data->set.ssl.primary.verifypeer)
+ if(verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
}
- if(data->set.str[STRING_SSL_CAPATH_ORIG]) {
- ret = mbedtls_x509_crt_parse_path(&connssl->cacert,
- data->set.str[STRING_SSL_CAPATH_ORIG]);
+ if(ssl_capath) {
+ ret = mbedtls_x509_crt_parse_path(&connssl->cacert, ssl_capath);
if(ret<0) {
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* MBEDTLS_ERROR_C */
failf(data, "Error reading ca cert path %s - mbedTLS: (-0x%04X) %s",
- data->set.str[STRING_SSL_CAPATH_ORIG], -ret, errorbuf);
+ ssl_capath, -ret, errorbuf);
- if(data->set.ssl.primary.verifypeer)
+ if(verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
}
/* Load the client certificate */
mbedtls_x509_crt_init(&connssl->clicert);
- if(data->set.str[STRING_CERT_ORIG]) {
- ret = mbedtls_x509_crt_parse_file(&connssl->clicert,
- data->set.str[STRING_CERT_ORIG]);
+ if(ssl_cert) {
+ ret = mbedtls_x509_crt_parse_file(&connssl->clicert, ssl_cert);
if(ret) {
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* MBEDTLS_ERROR_C */
failf(data, "Error reading client cert file %s - mbedTLS: (-0x%04X) %s",
- data->set.str[STRING_CERT_ORIG], -ret, errorbuf);
+ ssl_cert, -ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
/* Load the client private key */
mbedtls_pk_init(&connssl->pk);
- if(data->set.str[STRING_KEY_ORIG]) {
- ret = mbedtls_pk_parse_keyfile(&connssl->pk,
- data->set.str[STRING_KEY_ORIG],
- data->set.str[STRING_KEY_ORIG]);
+ if(SSL_SET_OPTION(key)) {
+ ret = mbedtls_pk_parse_keyfile(&connssl->pk, SSL_SET_OPTION(key),
+ SSL_SET_OPTION(key_passwd));
if(ret == 0 && !mbedtls_pk_can_do(&connssl->pk, MBEDTLS_PK_RSA))
ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* MBEDTLS_ERROR_C */
failf(data, "Error reading private key %s - mbedTLS: (-0x%04X) %s",
- data->set.str[STRING_KEY_ORIG], -ret, errorbuf);
+ SSL_SET_OPTION(key), -ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
/* Load the CRL */
mbedtls_x509_crl_init(&connssl->crl);
- if(data->set.str[STRING_SSL_CRLFILE_ORIG]) {
- ret = mbedtls_x509_crl_parse_file(&connssl->crl,
- data->set.str[STRING_SSL_CRLFILE_ORIG]);
+ if(ssl_crlfile) {
+ ret = mbedtls_x509_crl_parse_file(&connssl->crl, ssl_crlfile);
if(ret) {
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* MBEDTLS_ERROR_C */
failf(data, "Error reading CRL file %s - mbedTLS: (-0x%04X) %s",
- data->set.str[STRING_SSL_CRLFILE_ORIG], -ret, errorbuf);
+ ssl_crlfile, -ret, errorbuf);
return CURLE_SSL_CRL_BADFILE;
}
}
- infof(data, "mbedTLS: Connecting to %s:%d\n",
- conn->host.name, conn->remote_port);
+ infof(data, "mbedTLS: Connecting to %s:%d\n", hostname, port);
mbedtls_ssl_config_init(&connssl->config);
mbedtls_ssl_conf_cert_profile(&connssl->config,
&mbedtls_x509_crt_profile_fr);
- switch(data->set.ssl.primary.version) {
+ switch(SSL_CONN_CONFIG(version)) {
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
&connssl->cacert,
&connssl->crl);
- if(data->set.str[STRING_KEY_ORIG]) {
+ if(SSL_SET_OPTION(key)) {
mbedtls_ssl_conf_own_cert(&connssl->config,
&connssl->clicert, &connssl->pk);
}
- if(mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
+ if(mbedtls_ssl_set_hostname(&connssl->ssl, hostname)) {
/* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks *and*
the name to set in the SNI extension. So even if curl connects to a
host specified as an IP address, this function must be used. */
ret = mbedtls_ssl_get_verify_result(&conn->ssl[sockindex].ssl);
- if(ret && data->set.ssl.primary.verifypeer) {
+ if(ret && SSL_CONN_CONFIG(verifypeer)) {
if(ret & MBEDTLS_X509_BADCERT_EXPIRED)
failf(data, "Cert verify failed: BADCERT_EXPIRED");
ssl_capath ? ssl_capath : "none");
}
#ifdef CURL_CA_FALLBACK
- else if(data->set.ssl.verifypeer) {
+ else if(verifypeer) {
/* verfying the peer without any CA certificates won't
work so use openssl's built in default as fallback */
SSL_CTX_set_default_verify_paths(connssl->ctx);
https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
*/
#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
- if(data->set.ssl.verifypeer) {
+ if(verifypeer) {
X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx),
X509_V_FLAG_TRUSTED_FIRST);
}
struct Curl_easy *data = conn->data;
int err;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ long * const certverifyresult = SSL_IS_PROXY() ?
+ &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
|| ssl_connect_2_reading == connssl->connecting_state
|| ssl_connect_2_writing == connssl->connecting_state);
lerr = SSL_get_verify_result(connssl->handle);
if(lerr != X509_V_OK) {
- data->set.ssl.certverifyresult = lerr;
+ *certverifyresult = lerr;
snprintf(error_buffer, sizeof(error_buffer),
"SSL certificate problem: %s",
X509_verify_cert_error_string(lerr));
#endif
TCHAR *host_name;
CURLcode result;
+ const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ conn->host.name;
infof(data, "schannel: SSL/TLS connection with %s port %hu (step 1/3)\n",
- conn->host.name, conn->remote_port);
+ hostname, conn->remote_port);
#ifdef HAS_ALPN
/* ALPN is only supported on Windows 8.1 / Server 2012 R2 and above.
}
/* Warn if SNI is disabled due to use of an IP address */
- if(Curl_inet_pton(AF_INET, conn->host.name, &addr)
+ if(Curl_inet_pton(AF_INET, hostname, &addr)
#ifdef ENABLE_IPV6
- || Curl_inet_pton(AF_INET6, conn->host.name, &addr6)
+ || Curl_inet_pton(AF_INET6, hostname, &addr6)
#endif
) {
infof(data, "schannel: using IP address, SNI is not supported by OS.\n");
}
memset(connssl->ctxt, 0, sizeof(struct curl_schannel_ctxt));
- host_name = Curl_convert_UTF8_to_tchar(conn->host.name);
+ host_name = Curl_convert_UTF8_to_tchar(hostname);
if(!host_name)
return CURLE_OUT_OF_MEMORY;
TCHAR *host_name;
CURLcode result;
bool doread;
+ const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ conn->host.name;
doread = (connssl->connecting_state != ssl_connect_2_writing) ? TRUE : FALSE;
infof(data, "schannel: SSL/TLS connection with %s port %hu (step 2/3)\n",
- conn->host.name, conn->remote_port);
+ hostname, conn->remote_port);
if(!connssl->cred || !connssl->ctxt)
return CURLE_SSL_CONNECT_ERROR;
memcpy(inbuf[0].pvBuffer, connssl->encdata_buffer,
connssl->encdata_offset);
- host_name = Curl_convert_UTF8_to_tchar(conn->host.name);
+ host_name = Curl_convert_UTF8_to_tchar(hostname);
if(!host_name)
return CURLE_OUT_OF_MEMORY;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
SECURITY_STATUS sspi_status = SEC_E_OK;
CERT_CONTEXT *ccert_context = NULL;
+ const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ conn->host.name;
#ifdef HAS_ALPN
SecPkgContext_ApplicationProtocol alpn_result;
#endif
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
infof(data, "schannel: SSL/TLS connection with %s port %hu (step 3/3)\n",
- conn->host.name, conn->remote_port);
+ hostname, conn->remote_port);
if(!connssl->cred)
return CURLE_SSL_CONNECT_ERROR;
*/
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ conn->host.name;
infof(data, "schannel: shutting down SSL/TLS connection with %s port %hu\n",
- conn->host.name, conn->remote_port);
+ hostname, conn->remote_port);
if(connssl->cred && connssl->ctxt) {
SecBufferDesc BuffDesc;
failf(data, "schannel: ApplyControlToken failure: %s",
Curl_sspi_strerror(conn, sspi_status));
- host_name = Curl_convert_UTF8_to_tchar(conn->host.name);
+ host_name = Curl_convert_UTF8_to_tchar(hostname);
if(!host_name)
return CURLE_OUT_OF_MEMORY;
CURLcode result = CURLE_OK;
CERT_CONTEXT *pCertContextServer = NULL;
const CERT_CHAIN_CONTEXT *pChainContext = NULL;
+ const char * const conn_hostname = SSL_IS_PROXY() ?
+ conn->http_proxy.host.name :
+ conn->host.name;
status = s_pSecFn->QueryContextAttributes(&connssl->ctxt->ctxt_handle,
SECPKG_ATTR_REMOTE_CERT_CONTEXT,
DWORD len;
cert_hostname.const_tchar_ptr = cert_hostname_buff;
- hostname.tchar_ptr = Curl_convert_UTF8_to_tchar(conn->host.name);
+ hostname.tchar_ptr = Curl_convert_UTF8_to_tchar(conn_hostname);
/* TODO: Fix this for certificates with multiple alternative names.
Right now we're only asking for the first preferred alternative name.
128);
if(len > 0 && *cert_hostname.tchar_ptr == '*') {
/* this is a wildcard cert. try matching the last len - 1 chars */
- int hostname_len = strlen(conn->host.name);
+ int hostname_len = strlen(conn_hostname);
cert_hostname.tchar_ptr++;
if(_tcsicmp(cert_hostname.const_tchar_ptr,
hostname.const_tchar_ptr + hostname_len - len + 2) != 0)
_cert_hostname = Curl_convert_tchar_to_UTF8(cert_hostname.tchar_ptr);
failf(data, "schannel: CertGetNameString() certificate hostname "
"(%s) did not match connection (%s)",
- _cert_hostname, conn->host.name);
+ _cert_hostname, conn_hostname);
Curl_unicodefree(_cert_hostname);
}
Curl_unicodefree(hostname.tchar_ptr);
projects / thirdparty / curl.git / commitdiff
