CURLE_SSL_INSECURE is removed again and so is CURLOPT_SSL_INSECURE, we

proceed fine with the already existing options, just having a different
internal library default for capath.
This commit is contained in:
Daniel Stenberg 2002-08-30 11:09:49 +00:00
parent 5644f4a295
commit 0e0caf7c06
8 changed files with 51 additions and 62 deletions

19
CHANGES
View File

@ -6,15 +6,24 @@
Changelog
Daniel (30 Aug 2002)
- Applied an anonymous SOCKS5-proxy patch. Not properly working in all
situations though, as all getaddrinfo()-using libcurls will fail on this.
- Fixed up the SSL cert fixes from the other day even more after more inputs
from Cris. Added three new error codes to make the CURLE_SSL_CONNECT_ERROR
slightly less overloaded.
Daniel (27 Aug 2002)
- After lots of talk with Tom Zerucha, Nick Gimbrone and Cris Bailiff I
decided to talk the bold path and I now introduced the CURLOPT_SSL_INSECURE
option that needs to be set to TRUE to allow libcurl to connect to SSL sites
without using a CA certificate to verify it with.
decided to talk the bold path and I now made libcurl do CA certificate
verification by default. Thus library users need to explicitly turn this off
if you want to connect to sites without proper checking. We also install a
CA cert bundle on 'make install' now.
The curl tool similarly requires the -k/--insecure optin in order to allow
The curl tool now requires the -k/--insecure option in order to allow
connections and operations on SSL sites that aren't properly verified with
-cafile or --capath
-cafile or --capath.
Daniel (26 Aug 2002)
- Andrew Francis cleaned up some code that now compiles fine without the need

View File

@ -710,7 +710,7 @@ if test "x$ca" = "xno"; then
dnl let's not keep "no" as path name, blank it instead
ca=""
else
AC_DEFINE_UNQUOTED(CURL_CA_BUNDLE, $ca, [CA bundle full path name])
AC_DEFINE_UNQUOTED(CURL_CA_BUNDLE, "$ca", [CA bundle full path name])
fi
CURL_CA_BUNDLE="$ca"

View File

@ -197,8 +197,10 @@ typedef enum {
CURLE_SEND_ERROR, /* 55 - failed sending network data */
CURLE_RECV_ERROR, /* 56 - failure in receiving network data */
CURLE_SHARE_IN_USE, /* 57 - share is in use */
CURLE_SSL_INSECURE, /* 58 - connect attempt without certificate
but SSL_INSECURE not explicitly allowed */
CURLE_SSL_CERTPROBLEM, /* 58 - problem with the local certificate */
CURLE_SSL_CIPHER, /* 59 - couldn't use specified cipher */
CURLE_SSL_CACERT, /* 60 - problem with the CA cert (path?) */
CURL_LAST /* never use! */
} CURLcode;
@ -579,12 +581,9 @@ typedef enum {
/* Provide a CURLShare for mutexing non-ts data */
CINIT(SHARE, OBJECTPOINT, 100),
/* Explicitly allow insecure SSL connects */
CINIT(SSL_INSECURE, LONG, 101),
/* indicates type of proxy. accepted values are CURLPROXY_HTTP (default),
CURLPROXY_SOCKS4 and CURLPROXY_SOCKS5. */
CINIT(PROXYTYPE, LONG, 102),
CINIT(PROXYTYPE, LONG, 101),
CURLOPT_LASTENTRY /* the last unused */
} CURLoption;

View File

@ -72,5 +72,6 @@ $(srcdir)/getdate.c: getdate.y
install-data-hook:
@if test -n "@CURL_CA_BUNDLE@"; then \
$(mkinstalldirs) `dirname $(DESTDIR)@CURL_CA_BUNDLE@`; \
@INSTALL_DATA@ ca-bundle.crt $(DESTDIR)@CURL_CA_BUNDLE@; \
fi

View File

@ -722,7 +722,7 @@ Curl_SSLConnect(struct connectdata *conn)
data->set.key,
data->set.key_type)) {
/* failf() is already done in cert_stuff() */
return CURLE_SSL_CONNECT_ERROR;
return CURLE_SSL_CERTPROBLEM;
}
}
@ -730,7 +730,7 @@ Curl_SSLConnect(struct connectdata *conn)
if (!SSL_CTX_set_cipher_list(conn->ssl.ctx,
data->set.ssl.cipher_list)) {
failf(data, "failed setting cipher list");
return CURLE_SSL_CONNECT_ERROR;
return CURLE_SSL_CIPHER;
}
}
@ -743,7 +743,7 @@ Curl_SSLConnect(struct connectdata *conn)
data->set.ssl.CAfile,
data->set.ssl.CApath)) {
failf(data,"error setting cerficate verify locations");
return CURLE_SSL_CONNECT_ERROR;
return CURLE_SSL_CACERT;
}
}
else

View File

@ -111,6 +111,7 @@
#include "ldap.h"
#include "url.h"
#include "connect.h"
#include "ca-bundle.h"
#include <curl/types.h>
@ -293,12 +294,23 @@ CURLcode Curl_open(struct SessionHandle **curl)
free(data);
return CURLE_OUT_OF_MEMORY;
}
/*
* libcurl 7.10 introduces SSL verification *by default*! This needs to be
* switched off unless wanted.
*/
data->set.ssl.verifypeer = TRUE;
data->set.ssl.verifyhost = 2;
#ifdef CURL_CA_BUNDLE
/* This is our prefered CA cert bundle since install time */
data->set.ssl.CAfile = CURL_CA_BUNDLE;
#endif
memset(data->state.connects, 0,
sizeof(struct connectdata *)*data->state.numconnects);
*curl = data;
return CURLE_OK;
}
@ -1051,10 +1063,6 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, ...)
}
break;
case CURLOPT_SSL_INSECURE:
data->set.ssl.allow_insecure = va_arg(param, long)?TRUE:FALSE;
break;
case CURLOPT_PROXYTYPE:
/*
* Set proxy type. HTTP/SOCKS4/SOCKS5
@ -2247,17 +2255,6 @@ static CURLcode CreateConnection(struct SessionHandle *data,
return CURLE_UNSUPPORTED_PROTOCOL;
}
if(conn->protocol & PROT_SSL) {
/* If SSL is requested, require security level info */
if(!data->set.ssl.allow_insecure &&
!(data->set.ssl.CAfile || data->set.ssl.CApath)) {
failf(data, "Insecure SSL connect attempted without explicit permission granted");
return CURLE_SSL_INSECURE;
}
}
/*************************************************************
* Figure out the remote port number
*

View File

@ -144,8 +144,6 @@ struct ssl_config_data {
char *random_file; /* path to file containing "random" data */
char *egdsocket; /* path to file containing the EGD daemon socket */
char *cipher_list; /* list of ciphers to use */
bool allow_insecure; /* allow connects without any CA certificate */
long numsessions; /* SSL session id cache size */
};

View File

@ -2721,13 +2721,21 @@ operate(struct Configurable *config, int argc, char *argv[])
curl_easy_setopt(curl, CURLOPT_SSLKEYPASSWD, config->key_passwd);
if(config->cacert || config->capath) {
if (config->cacert) curl_easy_setopt(curl, CURLOPT_CAINFO, config->cacert);
if (config->capath) curl_easy_setopt(curl, CURLOPT_CAPATH, config->capath);
if (config->cacert)
curl_easy_setopt(curl, CURLOPT_CAINFO, config->cacert);
if (config->capath)
curl_easy_setopt(curl, CURLOPT_CAPATH, config->capath);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2);
}
else
else {
if(config->insecure_ok)
/* new stuff needed for libcurl 7.10 */
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
}
if((config->conf&CONF_NOBODY) ||
config->remote_time) {
@ -2798,9 +2806,6 @@ operate(struct Configurable *config, int argc, char *argv[])
}
curl_easy_setopt(curl, CURLOPT_VERBOSE, config->conf&CONF_VERBOSE);
/* new in curl 7.10 */
curl_easy_setopt(curl, CURLOPT_SSL_INSECURE, config->insecure_ok);
res = curl_easy_perform(curl);
if((config->progressmode == CURL_PROGRESS_BAR) &&
@ -2823,28 +2828,8 @@ operate(struct Configurable *config, int argc, char *argv[])
vms_show = VMSSTS_HIDE;
}
#else
if((res!=CURLE_OK) && config->showerror) {
switch(res) {
case CURLE_SSL_INSECURE:
/* Since this breaks how curl used to work, we need a slightly more
verbose and descriptive error here to educate people what is
happening and what to do to make it work. At least for a
while. */
fprintf(config->errors, "curl: (%d) %s\n%s", res,
errorbuffer,
" Since SSL doesn't offer any true security if you don't use a CA\n"
" certificate to verify the peer certificate with, you must either\n"
" provide one to make sure that the server really is the server you\n"
" think it is, or you must explicitly tell curl that insecure SSL\n"
" connects are fine.\n"
" Allow insecure SSL operations with -k/--insecure\n"
);
break;
default:
fprintf(config->errors, "curl: (%d) %s\n", res, errorbuffer);
break;
}
}
if((res!=CURLE_OK) && config->showerror)
fprintf(config->errors, "curl: (%d) %s\n", res, errorbuffer);
#endif
if (outfile && !strequal(outfile, "-") && outs.stream)