gtls: add support for CURLOPT_CAPATH

This commit is contained in:
Alessandro Ghedini 2015-03-08 20:11:06 +01:00 committed by Daniel Stenberg
parent 0f24df6e54
commit 5a1614cecd
4 changed files with 29 additions and 5 deletions

View File

@ -2615,8 +2615,8 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
capath="no"
elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then
dnl --with-ca-path given
if test "x$OPENSSL_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
AC_MSG_ERROR([--with-ca-path only works with openSSL or PolarSSL])
if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
AC_MSG_ERROR([--with-ca-path only works with OpenSSL, GnuTLS or PolarSSL])
fi
capath="$want_capath"
ca="no"

View File

@ -43,9 +43,8 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc.
.SH EXAMPLE
TODO
.SH AVAILABILITY
This option is OpenSSL-specific and does nothing if libcurl is built to use
GnuTLS. NSS-powered libcurl provides the option only for backward
compatibility.
This option is supported by the OpenSSL, GnuTLS and PolarSSL backends. The NSS
backend provides the option only for backward compatibility.
.SH RETURN VALUE
Returns CURLE_OK if TLS enabled, and CURLE_UNKNOWN_OPTION if not, or
CURLE_OUT_OF_MEMORY if there was insufficient heap space.

View File

@ -97,6 +97,10 @@ static bool gtls_inited = FALSE;
# if (GNUTLS_VERSION_NUMBER >= 0x03020d)
# define HAS_OCSP
# endif
# if (GNUTLS_VERSION_NUMBER >= 0x030306)
# define HAS_CAPATH
# endif
#endif
#ifdef HAS_OCSP
@ -462,6 +466,24 @@ gtls_connect_step1(struct connectdata *conn,
rc, data->set.ssl.CAfile);
}
#ifdef HAS_CAPATH
if(data->set.ssl.CApath) {
/* set the trusted CA cert directory */
rc = gnutls_certificate_set_x509_trust_dir(conn->ssl[sockindex].cred,
data->set.ssl.CApath,
GNUTLS_X509_FMT_PEM);
if(rc < 0) {
infof(data, "error reading ca cert file %s (%s)\n",
data->set.ssl.CAfile, gnutls_strerror(rc));
if(data->set.ssl.verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
else
infof(data, "found %d certificates in %s\n",
rc, data->set.ssl.CApath);
}
#endif
if(data->set.ssl.CRLfile) {
/* set the CRL list file */
rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred,

View File

@ -54,6 +54,9 @@ bool Curl_gtls_cert_status_request(void);
/* Set the API backend definition to GnuTLS */
#define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS
/* this backend supports the CAPATH option */
#define have_curlssl_ca_path 1
/* API setup for GnuTLS */
#define curlssl_init Curl_gtls_init
#define curlssl_cleanup Curl_gtls_cleanup