url: add CURLOPT_SSL_VERIFYSTATUS option
This option can be used to enable/disable certificate status verification using the "Certificate Status Request" TLS extension defined in RFC6066 section 8. This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the certificate status verification fails, and the Curl_ssl_cert_status_request() function, used to check whether the SSL backend supports the status_request extension.
This commit is contained in:
parent
5e113a18c5
commit
3af90a6e19
53
docs/libcurl/opts/CURLOPT_SSL_VERIFYSTATUS.3
Normal file
53
docs/libcurl/opts/CURLOPT_SSL_VERIFYSTATUS.3
Normal file
@ -0,0 +1,53 @@
|
||||
.\" **************************************************************************
|
||||
.\" * _ _ ____ _
|
||||
.\" * Project ___| | | | _ \| |
|
||||
.\" * / __| | | | |_) | |
|
||||
.\" * | (__| |_| | _ <| |___
|
||||
.\" * \___|\___/|_| \_\_____|
|
||||
.\" *
|
||||
.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
.\" *
|
||||
.\" * This software is licensed as described in the file COPYING, which
|
||||
.\" * you should have received as part of this distribution. The terms
|
||||
.\" * are also available at http://curl.haxx.se/docs/copyright.html.
|
||||
.\" *
|
||||
.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
||||
.\" * copies of the Software, and permit persons to whom the Software is
|
||||
.\" * furnished to do so, under the terms of the COPYING file.
|
||||
.\" *
|
||||
.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
||||
.\" * KIND, either express or implied.
|
||||
.\" *
|
||||
.\" **************************************************************************
|
||||
.\"
|
||||
.TH CURLOPT_SSL_VERIFYSTATUS 3 "04 Dec 2014" "libcurl 7.40.0" "curl_easy_setopt options"
|
||||
.SH NAME
|
||||
CURLOPT_SSL_VERIFYSTATUS \- verify the certificate's status
|
||||
.SH SYNOPSIS
|
||||
#include <curl/curl.h>
|
||||
|
||||
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_VERIFYSTATUS, long verify);
|
||||
.SH DESCRIPTION
|
||||
Pass a long as parameter to enable or disable.
|
||||
|
||||
This option determines whether libcurl verifies the status of the server cert
|
||||
using the "Certificate Status Request" TLS extension (aka. OCSP stapling).
|
||||
|
||||
Note that if this option is enabled but the server does not support the TLS
|
||||
extension, the verification will fail.
|
||||
|
||||
.SH DEFAULT
|
||||
0
|
||||
.SH PROTOCOLS
|
||||
All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc.
|
||||
.SH EXAMPLE
|
||||
TODO
|
||||
.SH AVAILABILITY
|
||||
This is currently only supported by the GnuTLS and NSS TLS backends.
|
||||
.SH RETURN VALUE
|
||||
Returns CURLE_OK if OCSP stapling is supported by the SSL backend, otherwise
|
||||
returns CURLE_NOT_BUILT_IN.
|
||||
.SH "SEE ALSO"
|
||||
.BR CURLOPT_SSL_VERIFYHOST "(3), "
|
||||
.BR CURLOPT_SSL_VERIFYPEER "(3), "
|
||||
.BR CURLOPT_CAINFO "(3), "
|
@ -118,6 +118,7 @@ CURLE_SSL_CRL_BADFILE 7.19.0
|
||||
CURLE_SSL_ENGINE_INITFAILED 7.12.3
|
||||
CURLE_SSL_ENGINE_NOTFOUND 7.9.3
|
||||
CURLE_SSL_ENGINE_SETFAILED 7.9.3
|
||||
CURLE_SSL_INVALIDCERTSTATUS 7.41.0
|
||||
CURLE_SSL_ISSUER_ERROR 7.19.0
|
||||
CURLE_SSL_PEER_CERTIFICATE 7.8 7.17.1
|
||||
CURLE_SSL_PINNEDPUBKEYNOTMATCH 7.39.0
|
||||
@ -513,6 +514,7 @@ CURLOPT_SSL_OPTIONS 7.25.0
|
||||
CURLOPT_SSL_SESSIONID_CACHE 7.16.0
|
||||
CURLOPT_SSL_VERIFYHOST 7.8.1
|
||||
CURLOPT_SSL_VERIFYPEER 7.4.2
|
||||
CURLOPT_SSL_VERIFYSTATUS 7.41.0
|
||||
CURLOPT_STDERR 7.1
|
||||
CURLOPT_TCP_KEEPALIVE 7.25.0
|
||||
CURLOPT_TCP_KEEPIDLE 7.25.0
|
||||
|
@ -523,6 +523,7 @@ typedef enum {
|
||||
session will be queued */
|
||||
CURLE_SSL_PINNEDPUBKEYNOTMATCH, /* 90 - specified pinned public key did not
|
||||
match */
|
||||
CURLE_SSL_INVALIDCERTSTATUS, /* 91 - invalid certificate status */
|
||||
CURL_LAST /* never use! */
|
||||
} CURLcode;
|
||||
|
||||
@ -1622,6 +1623,9 @@ typedef enum {
|
||||
/* Path to Unix domain socket */
|
||||
CINIT(UNIX_SOCKET_PATH, OBJECTPOINT, 231),
|
||||
|
||||
/* Set if we should verify the certificate status. */
|
||||
CINIT(SSL_VERIFYSTATUS, LONG, 232),
|
||||
|
||||
CURLOPT_LASTENTRY /* the last unused */
|
||||
} CURLoption;
|
||||
|
||||
|
@ -5,7 +5,7 @@
|
||||
* | (__| |_| | _ <| |___
|
||||
* \___|\___/|_| \_\_____|
|
||||
*
|
||||
* Copyright (C) 2004 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
* Copyright (C) 2004 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
*
|
||||
* This software is licensed as described in the file COPYING, which
|
||||
* you should have received as part of this distribution. The terms
|
||||
@ -301,6 +301,9 @@ curl_easy_strerror(CURLcode error)
|
||||
case CURLE_SSL_PINNEDPUBKEYNOTMATCH:
|
||||
return "SSL public key does not match pinned public key";
|
||||
|
||||
case CURLE_SSL_INVALIDCERTSTATUS:
|
||||
return "SSL server certificate status verification FAILED";
|
||||
|
||||
/* error codes not used by current libcurl */
|
||||
case CURLE_OBSOLETE20:
|
||||
case CURLE_OBSOLETE24:
|
||||
|
11
lib/url.c
11
lib/url.c
@ -1997,6 +1997,17 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
|
||||
|
||||
data->set.ssl.verifyhost = (0 != arg)?TRUE:FALSE;
|
||||
break;
|
||||
case CURLOPT_SSL_VERIFYSTATUS:
|
||||
/*
|
||||
* Enable certificate status verifying.
|
||||
*/
|
||||
if(!Curl_ssl_cert_status_request()) {
|
||||
result = CURLE_NOT_BUILT_IN;
|
||||
break;
|
||||
}
|
||||
|
||||
data->set.ssl.verifystatus = (0 != va_arg(param, long))?TRUE:FALSE;
|
||||
break;
|
||||
case CURLOPT_SSL_CTX_FUNCTION:
|
||||
#ifdef have_curlssl_ssl_ctx
|
||||
/*
|
||||
|
@ -366,6 +366,7 @@ struct ssl_config_data {
|
||||
|
||||
bool verifypeer; /* set TRUE if this is desired */
|
||||
bool verifyhost; /* set TRUE if CN/SAN must match hostname */
|
||||
bool verifystatus; /* set TRUE if certificate status must be checked */
|
||||
char *CApath; /* certificate dir (doesn't work on windows) */
|
||||
char *CAfile; /* certificate to verify peer against */
|
||||
const char *CRLfile; /* CRL to check certificate revocation */
|
||||
|
@ -848,4 +848,16 @@ void Curl_ssl_md5sum(unsigned char *tmp, /* input */
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
* Check whether the SSL backend supports the status_request extension.
|
||||
*/
|
||||
bool Curl_ssl_cert_status_request(void)
|
||||
{
|
||||
#ifdef curlssl_cert_status_request
|
||||
return curlssl_cert_status_request();
|
||||
#else
|
||||
return FALSE;
|
||||
#endif
|
||||
}
|
||||
|
||||
#endif /* USE_SSL */
|
||||
|
@ -116,6 +116,8 @@ void Curl_ssl_md5sum(unsigned char *tmp, /* input */
|
||||
CURLcode Curl_pin_peer_pubkey(const char *pinnedpubkey,
|
||||
const unsigned char *pubkey, size_t pubkeylen);
|
||||
|
||||
bool Curl_ssl_cert_status_request(void);
|
||||
|
||||
#define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */
|
||||
|
||||
#else
|
||||
|
Loading…
Reference in New Issue
Block a user