CURLE_SSL_INSECURE is removed again and so is CURLOPT_SSL_INSECURE, we

proceed fine with the already existing options, just having a different
internal library default for capath.

CHANGES

@@ -6,15 +6,24 @@
 
                                   Changelog
 
+Daniel (30 Aug 2002)
+- Applied an anonymous SOCKS5-proxy patch. Not properly working in all
+  situations though, as all getaddrinfo()-using libcurls will fail on this.
+
+- Fixed up the SSL cert fixes from the other day even more after more inputs
+  from Cris. Added three new error codes to make the CURLE_SSL_CONNECT_ERROR
+  slightly less overloaded.
+
 Daniel (27 Aug 2002)
 - After lots of talk with Tom Zerucha, Nick Gimbrone and Cris Bailiff I
-  decided to talk the bold path and I now introduced the CURLOPT_SSL_INSECURE
+  decided to talk the bold path and I now made libcurl do CA certificate
-  option that needs to be set to TRUE to allow libcurl to connect to SSL sites
+  verification by default. Thus library users need to explicitly turn this off
-  without using a CA certificate to verify it with.
+  if you want to connect to sites without proper checking. We also install a
+  CA cert bundle on 'make install' now.
 
-  The curl tool similarly requires the -k/--insecure optin in order to allow
+  The curl tool now requires the -k/--insecure option in order to allow
   connections and operations on SSL sites that aren't properly verified with
-  -cafile or --capath
+  -cafile or --capath.
 
 Daniel (26 Aug 2002)
 - Andrew Francis cleaned up some code that now compiles fine without the need

configure.in

@@ -710,7 +710,7 @@ if test "x$ca" = "xno"; then
   dnl let's not keep "no" as path name, blank it instead
   ca=""
 else
-  AC_DEFINE_UNQUOTED(CURL_CA_BUNDLE, $ca, [CA bundle full path name])
+  AC_DEFINE_UNQUOTED(CURL_CA_BUNDLE, "$ca", [CA bundle full path name])
 fi
 
 CURL_CA_BUNDLE="$ca"

include/curl/curl.h

@@ -197,8 +197,10 @@ typedef enum {
   CURLE_SEND_ERROR,              /* 55 - failed sending network data */
   CURLE_RECV_ERROR,              /* 56 - failure in receiving network data */
   CURLE_SHARE_IN_USE,            /* 57 - share is in use */
-  CURLE_SSL_INSECURE,            /* 58 - connect attempt without certificate
+  CURLE_SSL_CERTPROBLEM,         /* 58 - problem with the local certificate */
-                                    but SSL_INSECURE not explicitly allowed */
+  CURLE_SSL_CIPHER,              /* 59 - couldn't use specified cipher */
+  CURLE_SSL_CACERT,              /* 60 - problem with the CA cert (path?) */
+
   CURL_LAST /* never use! */
 } CURLcode;
 
@@ -579,12 +581,9 @@ typedef enum {
   /* Provide a CURLShare for mutexing non-ts data */
   CINIT(SHARE, OBJECTPOINT, 100),
 
-  /* Explicitly allow insecure SSL connects */
-  CINIT(SSL_INSECURE, LONG, 101),
-
   /* indicates type of proxy. accepted values are CURLPROXY_HTTP (default),
      CURLPROXY_SOCKS4 and CURLPROXY_SOCKS5. */
-  CINIT(PROXYTYPE, LONG, 102), 
+  CINIT(PROXYTYPE, LONG, 101),
 
   CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;

lib/Makefile.am

@@ -72,5 +72,6 @@ $(srcdir)/getdate.c: getdate.y
 
 install-data-hook:
 	@if test -n "@CURL_CA_BUNDLE@"; then \
+	  $(mkinstalldirs) `dirname $(DESTDIR)@CURL_CA_BUNDLE@`; \
 	  @INSTALL_DATA@ ca-bundle.crt $(DESTDIR)@CURL_CA_BUNDLE@; \
         fi

lib/ssluse.c

@@ -722,7 +722,7 @@ Curl_SSLConnect(struct connectdata *conn)
                     data->set.key,
                     data->set.key_type)) {
       /* failf() is already done in cert_stuff() */
-      return CURLE_SSL_CONNECT_ERROR;
+      return CURLE_SSL_CERTPROBLEM;
     }
   }
 
@@ -730,7 +730,7 @@ Curl_SSLConnect(struct connectdata *conn)
     if (!SSL_CTX_set_cipher_list(conn->ssl.ctx,
                                  data->set.ssl.cipher_list)) {
       failf(data, "failed setting cipher list");
-      return CURLE_SSL_CONNECT_ERROR;
+      return CURLE_SSL_CIPHER;
     }
   }
 
@@ -743,7 +743,7 @@ Curl_SSLConnect(struct connectdata *conn)
                                        data->set.ssl.CAfile,
                                        data->set.ssl.CApath)) {
       failf(data,"error setting cerficate verify locations");
-      return CURLE_SSL_CONNECT_ERROR;
+      return CURLE_SSL_CACERT;
     }
   }
   else

lib/url.c

@@ -111,6 +111,7 @@
 #include "ldap.h"
 #include "url.h"
 #include "connect.h"
+#include "ca-bundle.h"
 
 #include <curl/types.h>
 
@@ -293,12 +294,23 @@ CURLcode Curl_open(struct SessionHandle **curl)
     free(data);
     return CURLE_OUT_OF_MEMORY;
   }
-  
+
+  /*
+   * libcurl 7.10 introduces SSL verification *by default*! This needs to be
+   * switched off unless wanted.
+   */
+  data->set.ssl.verifypeer = TRUE;
+  data->set.ssl.verifyhost = 2;
+#ifdef CURL_CA_BUNDLE
+  /* This is our prefered CA cert bundle since install time */
+  data->set.ssl.CAfile = CURL_CA_BUNDLE;
+#endif
+
+
   memset(data->state.connects, 0,
          sizeof(struct connectdata *)*data->state.numconnects);
 
   *curl = data;
-
   return CURLE_OK;
 }
 
@@ -1051,10 +1063,6 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, ...)
     }
     break;
 
-  case CURLOPT_SSL_INSECURE:
-    data->set.ssl.allow_insecure = va_arg(param, long)?TRUE:FALSE;
-    break;
-
   case CURLOPT_PROXYTYPE:
     /*
      * Set proxy type. HTTP/SOCKS4/SOCKS5
@@ -2247,17 +2255,6 @@ static CURLcode CreateConnection(struct SessionHandle *data,
     return CURLE_UNSUPPORTED_PROTOCOL;
   }
 
-  if(conn->protocol & PROT_SSL) {
-    /* If SSL is requested, require security level info */
-
-    if(!data->set.ssl.allow_insecure &&
-       !(data->set.ssl.CAfile || data->set.ssl.CApath)) {
-      failf(data, "Insecure SSL connect attempted without explicit permission granted");
-      return CURLE_SSL_INSECURE;
-    }
-  }
-
-
   /*************************************************************
    * Figure out the remote port number
    *

lib/urldata.h

@@ -144,8 +144,6 @@ struct ssl_config_data {
   char *random_file;     /* path to file containing "random" data */
   char *egdsocket;       /* path to file containing the EGD daemon socket */
   char *cipher_list;     /* list of ciphers to use */
-  bool allow_insecure;   /* allow connects without any CA certificate */
-
   long numsessions;      /* SSL session id cache size */
 };
 

src/main.c

@@ -2721,13 +2721,21 @@ operate(struct Configurable *config, int argc, char *argv[])
       curl_easy_setopt(curl, CURLOPT_SSLKEYPASSWD, config->key_passwd);
 
       if(config->cacert || config->capath) {
-        if (config->cacert) curl_easy_setopt(curl, CURLOPT_CAINFO, config->cacert);
+        if (config->cacert)
-        if (config->capath) curl_easy_setopt(curl, CURLOPT_CAPATH, config->capath);
+          curl_easy_setopt(curl, CURLOPT_CAINFO, config->cacert);
+
+        if (config->capath)
+          curl_easy_setopt(curl, CURLOPT_CAPATH, config->capath);
         curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, TRUE);
         curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2);
       }
-      else
+      else {
+        if(config->insecure_ok)
+          /* new stuff needed for libcurl 7.10 */
+          curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
+
         curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
+      }
       
       if((config->conf&CONF_NOBODY) ||
          config->remote_time) {
@@ -2798,9 +2806,6 @@ operate(struct Configurable *config, int argc, char *argv[])
       }
       curl_easy_setopt(curl, CURLOPT_VERBOSE, config->conf&CONF_VERBOSE);
 
-      /* new in curl 7.10 */
-      curl_easy_setopt(curl, CURLOPT_SSL_INSECURE, config->insecure_ok);
-      
       res = curl_easy_perform(curl);
         
       if((config->progressmode == CURL_PROGRESS_BAR) &&
@@ -2823,28 +2828,8 @@ operate(struct Configurable *config, int argc, char *argv[])
         vms_show = VMSSTS_HIDE;
       }
 #else
-      if((res!=CURLE_OK) && config->showerror) {
+      if((res!=CURLE_OK) && config->showerror)
-        switch(res) {
+        fprintf(config->errors, "curl: (%d) %s\n", res, errorbuffer);
-        case CURLE_SSL_INSECURE:
-          /* Since this breaks how curl used to work, we need a slightly more
-             verbose and descriptive error here to educate people what is
-             happening and what to do to make it work. At least for a
-             while. */
-          fprintf(config->errors, "curl: (%d) %s\n%s", res,
-                  errorbuffer,
-                  "      Since SSL doesn't offer any true security if you don't use a CA\n"
-                  "      certificate to verify the peer certificate with, you must either\n"
-                  "      provide one to make sure that the server really is the server you\n"
-                  "      think it is, or you must explicitly tell curl that insecure SSL\n"
-                  "      connects are fine.\n"
-                  "      Allow insecure SSL operations with -k/--insecure\n"
-                  );
-          break;
-        default:
-          fprintf(config->errors, "curl: (%d) %s\n", res, errorbuffer);
-          break;
-        }
-      }
 #endif
 
       if (outfile && !strequal(outfile, "-") && outs.stream)