I renamed the CURLE_SSL_PEER_CERTIFICATE error code to
CURLE_PEER_FAILED_VERIFICATION (standard CURL_NO_OLDIES style), and made this return code get used by the previous SSH MD5 fingerprint check in case it fails.
This commit is contained in:
parent
51c6a5d43b
commit
ce81cd21d3
5
CHANGES
5
CHANGES
@ -7,6 +7,11 @@
|
||||
Changelog
|
||||
|
||||
Daniel S (3 October 2007)
|
||||
- I renamed the CURLE_SSL_PEER_CERTIFICATE error code to
|
||||
CURLE_PEER_FAILED_VERIFICATION (standard CURL_NO_OLDIES style), and made
|
||||
this return code get used by the previous SSH MD5 fingerprint check in case
|
||||
it fails.
|
||||
|
||||
- Based on a patch brought by Johnny Luong, libcurl now offers
|
||||
CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and the curl tool --hostpubmd5. They both
|
||||
make the SCP or SFTP connection verify the remote host's md5 checksum of the
|
||||
|
@ -1512,7 +1512,7 @@ Unknown TELNET option specified.
|
||||
.IP 49
|
||||
Malformed telnet option.
|
||||
.IP 51
|
||||
The remote peer's SSL certificate wasn't ok
|
||||
The peer's SSL certificate or SSH MD5 fingerprint was not ok
|
||||
.IP 52
|
||||
The server didn't reply anything, which here is considered an error.
|
||||
.IP 53
|
||||
|
@ -148,8 +148,8 @@ An option set with CURLOPT_TELNETOPTIONS was not recognized/known. Refer to
|
||||
the appropriate documentation.
|
||||
.IP "CURLE_TELNET_OPTION_SYNTAX (49)"
|
||||
A telnet option string was Illegally formatted.
|
||||
.IP "CURLE_SSL_PEER_CERTIFICATE (51)"
|
||||
The remote server's SSL certificate was deemed not OK.
|
||||
.IP "CURLE_PEER_FAILED_VERIFICATION (51)"
|
||||
The remote server's SSL certificate or SSH md5 fingerprint was deemed not OK.
|
||||
.IP "CURLE_GOT_NOTHING (52)"
|
||||
Nothing was returned from the server, and under the circumstances, getting
|
||||
nothing is considered an error.
|
||||
|
@ -367,7 +367,8 @@ typedef enum {
|
||||
CURLE_UNKNOWN_TELNET_OPTION, /* 48 - User specified an unknown option */
|
||||
CURLE_TELNET_OPTION_SYNTAX , /* 49 - Malformed telnet option */
|
||||
CURLE_OBSOLETE50, /* 50 - NOT USED */
|
||||
CURLE_SSL_PEER_CERTIFICATE, /* 51 - peer's certificate wasn't ok */
|
||||
CURLE_PEER_FAILED_VERIFICATION, /* 51 - peer's certificate or fingerprint
|
||||
wasn't verified fine */
|
||||
CURLE_GOT_NOTHING, /* 52 - when this is a specific error */
|
||||
CURLE_SSL_ENGINE_NOTFOUND, /* 53 - SSL crypto engine not found */
|
||||
CURLE_SSL_ENGINE_SETFAILED, /* 54 - can not set SSL crypto engine as
|
||||
@ -416,9 +417,13 @@ typedef enum {
|
||||
the obsolete stuff removed! */
|
||||
|
||||
/* Backwards compatibility with older names */
|
||||
|
||||
/* The following were added in 7.17.1 */
|
||||
/* These are scheduled to disappear by 2009 */
|
||||
#define CURLE_SSL_PEER_CERTIFICATE CURLE_PEER_FAILED_VERIFICATION
|
||||
|
||||
/* The following were added in 7.17.0 */
|
||||
/* These are scheduled to disappear by 2009 */
|
||||
#define CURLE_OBSOLETE CURLE_OBSOLETE50 /* noone should be using this! */
|
||||
#define CURLE_BAD_PASSWORD_ENTERED CURLE_OBSOLETE46
|
||||
#define CURLE_BAD_CALLING_ORDER CURLE_OBSOLETE44
|
||||
|
@ -352,7 +352,7 @@ Curl_gtls_connect(struct connectdata *conn,
|
||||
if(!chainp) {
|
||||
if(data->set.ssl.verifyhost) {
|
||||
failf(data, "failed to get server cert");
|
||||
return CURLE_SSL_PEER_CERTIFICATE;
|
||||
return CURLE_PEER_FAILED_VERIFICATION;
|
||||
}
|
||||
infof(data, "\t common name: WARNING couldn't obtain\n");
|
||||
}
|
||||
@ -413,7 +413,7 @@ Curl_gtls_connect(struct connectdata *conn,
|
||||
failf(data, "SSL: certificate subject name (%s) does not match "
|
||||
"target host name '%s'", certbuf, conn->host.dispname);
|
||||
gnutls_x509_crt_deinit(x509_cert);
|
||||
return CURLE_SSL_PEER_CERTIFICATE;
|
||||
return CURLE_PEER_FAILED_VERIFICATION;
|
||||
}
|
||||
else
|
||||
infof(data, "\t common name: %s (does not match '%s')\n",
|
||||
@ -433,7 +433,7 @@ Curl_gtls_connect(struct connectdata *conn,
|
||||
if(clock < time(NULL)) {
|
||||
if (data->set.ssl.verifypeer) {
|
||||
failf(data, "server certificate expiration date has passed.");
|
||||
return CURLE_SSL_PEER_CERTIFICATE;
|
||||
return CURLE_PEER_FAILED_VERIFICATION;
|
||||
}
|
||||
else
|
||||
infof(data, "\t server certificate expiration date FAILED\n");
|
||||
@ -451,7 +451,7 @@ Curl_gtls_connect(struct connectdata *conn,
|
||||
if(clock > time(NULL)) {
|
||||
if (data->set.ssl.verifypeer) {
|
||||
failf(data, "server certificate not activated yet.");
|
||||
return CURLE_SSL_PEER_CERTIFICATE;
|
||||
return CURLE_PEER_FAILED_VERIFICATION;
|
||||
}
|
||||
else
|
||||
infof(data, "\t server certificate activation date FAILED\n");
|
||||
|
@ -220,7 +220,7 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)
|
||||
case SSL_ERROR_BAD_CERTIFICATE:
|
||||
case SSL_ERROR_BAD_CERT_SIG:
|
||||
case SSL_ERROR_NOT_TRUSTED_ROOT:
|
||||
return CURLE_SSL_PEER_CERTIFICATE;
|
||||
return CURLE_PEER_FAILED_VERIFICATION;
|
||||
|
||||
case SSL_ERROR_BAD_CIPHER_SUITE:
|
||||
case SSL_ERROR_NO_CIPHERS:
|
||||
|
@ -371,7 +371,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)
|
||||
"Remote %s is not equal to %s",
|
||||
buf, data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]);
|
||||
state(conn, SSH_SESSION_FREE);
|
||||
sshc->actualCode = CURLE_FAILED_INIT;
|
||||
sshc->actualCode = CURLE_PEER_FAILED_VERIFICATION;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
@ -1121,13 +1121,13 @@ static CURLcode verifyhost(struct connectdata *conn,
|
||||
if (!peer_CN) {
|
||||
failf(data,
|
||||
"SSL: unable to obtain common name from peer certificate");
|
||||
return CURLE_SSL_PEER_CERTIFICATE;
|
||||
return CURLE_PEER_FAILED_VERIFICATION;
|
||||
}
|
||||
else if(!cert_hostcheck((const char *)peer_CN, conn->host.name)) {
|
||||
if(data->set.ssl.verifyhost > 1) {
|
||||
failf(data, "SSL: certificate subject name '%s' does not match "
|
||||
"target host name '%s'", peer_CN, conn->host.dispname);
|
||||
res = CURLE_SSL_PEER_CERTIFICATE;
|
||||
res = CURLE_PEER_FAILED_VERIFICATION;
|
||||
}
|
||||
else
|
||||
infof(data, "\t common name: %s (does not match '%s')\n",
|
||||
@ -1624,7 +1624,7 @@ Curl_ossl_connect_step3(struct connectdata *conn,
|
||||
connssl->server_cert = SSL_get_peer_certificate(connssl->handle);
|
||||
if(!connssl->server_cert) {
|
||||
failf(data, "SSL: couldn't get peer certificate!");
|
||||
return CURLE_SSL_PEER_CERTIFICATE;
|
||||
return CURLE_PEER_FAILED_VERIFICATION;
|
||||
}
|
||||
infof (data, "Server certificate:\n");
|
||||
|
||||
@ -1675,7 +1675,7 @@ Curl_ossl_connect_step3(struct connectdata *conn,
|
||||
and we return earlyer if verifypeer is set? */
|
||||
failf(data, "SSL certificate verify result: %s (%ld)",
|
||||
X509_verify_cert_error_string(lerr), lerr);
|
||||
retcode = CURLE_SSL_PEER_CERTIFICATE;
|
||||
retcode = CURLE_PEER_FAILED_VERIFICATION;
|
||||
}
|
||||
else
|
||||
infof(data, "SSL certificate verify result: %s (%ld),"
|
||||
|
@ -174,8 +174,8 @@ curl_easy_strerror(CURLcode error)
|
||||
case CURLE_TELNET_OPTION_SYNTAX :
|
||||
return "Malformed telnet option";
|
||||
|
||||
case CURLE_SSL_PEER_CERTIFICATE:
|
||||
return "SSL peer certificate was not OK";
|
||||
case CURLE_PEER_FAILED_VERIFICATION:
|
||||
return "SSL peer certificate or SSH md5 fingerprint was not OK";
|
||||
|
||||
case CURLE_GOT_NOTHING:
|
||||
return "Server returned nothing (no headers, no data)";
|
||||
|
Loading…
Reference in New Issue
Block a user