I renamed the CURLE_SSL_PEER_CERTIFICATE error code to

CURLE_PEER_FAILED_VERIFICATION (standard CURL_NO_OLDIES style), and made this
return code get used by the previous SSH MD5 fingerprint check in case it
fails.
This commit is contained in:
Daniel Stenberg 2007-10-03 08:07:50 +00:00
parent 51c6a5d43b
commit ce81cd21d3
9 changed files with 26 additions and 16 deletions

View File

@ -7,6 +7,11 @@
Changelog
Daniel S (3 October 2007)
- I renamed the CURLE_SSL_PEER_CERTIFICATE error code to
CURLE_PEER_FAILED_VERIFICATION (standard CURL_NO_OLDIES style), and made
this return code get used by the previous SSH MD5 fingerprint check in case
it fails.
- Based on a patch brought by Johnny Luong, libcurl now offers
CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and the curl tool --hostpubmd5. They both
make the SCP or SFTP connection verify the remote host's md5 checksum of the

View File

@ -1512,7 +1512,7 @@ Unknown TELNET option specified.
.IP 49
Malformed telnet option.
.IP 51
The remote peer's SSL certificate wasn't ok
The peer's SSL certificate or SSH MD5 fingerprint was not ok
.IP 52
The server didn't reply anything, which here is considered an error.
.IP 53

View File

@ -148,8 +148,8 @@ An option set with CURLOPT_TELNETOPTIONS was not recognized/known. Refer to
the appropriate documentation.
.IP "CURLE_TELNET_OPTION_SYNTAX (49)"
A telnet option string was Illegally formatted.
.IP "CURLE_SSL_PEER_CERTIFICATE (51)"
The remote server's SSL certificate was deemed not OK.
.IP "CURLE_PEER_FAILED_VERIFICATION (51)"
The remote server's SSL certificate or SSH md5 fingerprint was deemed not OK.
.IP "CURLE_GOT_NOTHING (52)"
Nothing was returned from the server, and under the circumstances, getting
nothing is considered an error.

View File

@ -367,7 +367,8 @@ typedef enum {
CURLE_UNKNOWN_TELNET_OPTION, /* 48 - User specified an unknown option */
CURLE_TELNET_OPTION_SYNTAX , /* 49 - Malformed telnet option */
CURLE_OBSOLETE50, /* 50 - NOT USED */
CURLE_SSL_PEER_CERTIFICATE, /* 51 - peer's certificate wasn't ok */
CURLE_PEER_FAILED_VERIFICATION, /* 51 - peer's certificate or fingerprint
wasn't verified fine */
CURLE_GOT_NOTHING, /* 52 - when this is a specific error */
CURLE_SSL_ENGINE_NOTFOUND, /* 53 - SSL crypto engine not found */
CURLE_SSL_ENGINE_SETFAILED, /* 54 - can not set SSL crypto engine as
@ -416,9 +417,13 @@ typedef enum {
the obsolete stuff removed! */
/* Backwards compatibility with older names */
/* The following were added in 7.17.1 */
/* These are scheduled to disappear by 2009 */
#define CURLE_SSL_PEER_CERTIFICATE CURLE_PEER_FAILED_VERIFICATION
/* The following were added in 7.17.0 */
/* These are scheduled to disappear by 2009 */
#define CURLE_OBSOLETE CURLE_OBSOLETE50 /* noone should be using this! */
#define CURLE_BAD_PASSWORD_ENTERED CURLE_OBSOLETE46
#define CURLE_BAD_CALLING_ORDER CURLE_OBSOLETE44

View File

@ -352,7 +352,7 @@ Curl_gtls_connect(struct connectdata *conn,
if(!chainp) {
if(data->set.ssl.verifyhost) {
failf(data, "failed to get server cert");
return CURLE_SSL_PEER_CERTIFICATE;
return CURLE_PEER_FAILED_VERIFICATION;
}
infof(data, "\t common name: WARNING couldn't obtain\n");
}
@ -413,7 +413,7 @@ Curl_gtls_connect(struct connectdata *conn,
failf(data, "SSL: certificate subject name (%s) does not match "
"target host name '%s'", certbuf, conn->host.dispname);
gnutls_x509_crt_deinit(x509_cert);
return CURLE_SSL_PEER_CERTIFICATE;
return CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\t common name: %s (does not match '%s')\n",
@ -433,7 +433,7 @@ Curl_gtls_connect(struct connectdata *conn,
if(clock < time(NULL)) {
if (data->set.ssl.verifypeer) {
failf(data, "server certificate expiration date has passed.");
return CURLE_SSL_PEER_CERTIFICATE;
return CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\t server certificate expiration date FAILED\n");
@ -451,7 +451,7 @@ Curl_gtls_connect(struct connectdata *conn,
if(clock > time(NULL)) {
if (data->set.ssl.verifypeer) {
failf(data, "server certificate not activated yet.");
return CURLE_SSL_PEER_CERTIFICATE;
return CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\t server certificate activation date FAILED\n");

View File

@ -220,7 +220,7 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)
case SSL_ERROR_BAD_CERTIFICATE:
case SSL_ERROR_BAD_CERT_SIG:
case SSL_ERROR_NOT_TRUSTED_ROOT:
return CURLE_SSL_PEER_CERTIFICATE;
return CURLE_PEER_FAILED_VERIFICATION;
case SSL_ERROR_BAD_CIPHER_SUITE:
case SSL_ERROR_NO_CIPHERS:

View File

@ -371,7 +371,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)
"Remote %s is not equal to %s",
buf, data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]);
state(conn, SSH_SESSION_FREE);
sshc->actualCode = CURLE_FAILED_INIT;
sshc->actualCode = CURLE_PEER_FAILED_VERIFICATION;
break;
}
}

View File

@ -1121,13 +1121,13 @@ static CURLcode verifyhost(struct connectdata *conn,
if (!peer_CN) {
failf(data,
"SSL: unable to obtain common name from peer certificate");
return CURLE_SSL_PEER_CERTIFICATE;
return CURLE_PEER_FAILED_VERIFICATION;
}
else if(!cert_hostcheck((const char *)peer_CN, conn->host.name)) {
if(data->set.ssl.verifyhost > 1) {
failf(data, "SSL: certificate subject name '%s' does not match "
"target host name '%s'", peer_CN, conn->host.dispname);
res = CURLE_SSL_PEER_CERTIFICATE;
res = CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\t common name: %s (does not match '%s')\n",
@ -1624,7 +1624,7 @@ Curl_ossl_connect_step3(struct connectdata *conn,
connssl->server_cert = SSL_get_peer_certificate(connssl->handle);
if(!connssl->server_cert) {
failf(data, "SSL: couldn't get peer certificate!");
return CURLE_SSL_PEER_CERTIFICATE;
return CURLE_PEER_FAILED_VERIFICATION;
}
infof (data, "Server certificate:\n");
@ -1675,7 +1675,7 @@ Curl_ossl_connect_step3(struct connectdata *conn,
and we return earlyer if verifypeer is set? */
failf(data, "SSL certificate verify result: %s (%ld)",
X509_verify_cert_error_string(lerr), lerr);
retcode = CURLE_SSL_PEER_CERTIFICATE;
retcode = CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "SSL certificate verify result: %s (%ld),"

View File

@ -174,8 +174,8 @@ curl_easy_strerror(CURLcode error)
case CURLE_TELNET_OPTION_SYNTAX :
return "Malformed telnet option";
case CURLE_SSL_PEER_CERTIFICATE:
return "SSL peer certificate was not OK";
case CURLE_PEER_FAILED_VERIFICATION:
return "SSL peer certificate or SSH md5 fingerprint was not OK";
case CURLE_GOT_NOTHING:
return "Server returned nothing (no headers, no data)";