diff options
author | Jay Satiro <raysatiro@yahoo.com> | 2020-06-22 12:01:32 -0400 |
---|---|---|
committer | Jay Satiro <raysatiro@yahoo.com> | 2020-06-22 15:31:38 -0400 |
commit | abbc5d6044f95ba84acaae6912b2d097c6b435d1 (patch) | |
tree | a6e27c4703269f08accfb41cb1245fe610490d1f /lib/vtls/openssl.c | |
parent | bc052cc87858684774849398ad1073d56d7f09e9 (diff) | |
download | gnurl-abbc5d6044f95ba84acaae6912b2d097c6b435d1.tar.gz gnurl-abbc5d6044f95ba84acaae6912b2d097c6b435d1.tar.bz2 gnurl-abbc5d6044f95ba84acaae6912b2d097c6b435d1.zip |
openssl: Don't ignore CA paths when using Windows CA store
This commit changes the behavior of CURLSSLOPT_NATIVE_CA so that it does
not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default
locations. Instead the CA store can now be used at the same time.
The change is due to the impending release. The issue is still being
discussed. The behavior of CURLSSLOPT_NATIVE_CA is subject to change and
is now documented as experimental.
Ref: bc052cc (parent commit)
Ref: https://github.com/curl/curl/issues/5585
Diffstat (limited to 'lib/vtls/openssl.c')
-rw-r--r-- | lib/vtls/openssl.c | 22 |
1 files changed, 9 insertions, 13 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 897ca6880..790d35862 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2488,6 +2488,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); char error_buffer[256]; struct ssl_backend_data *backend = connssl->backend; + bool imported_native_ca = false; DEBUGASSERT(ssl_connect_1 == connssl->connecting_state); @@ -2940,9 +2941,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) if(X509_STORE_add_cert(store, x509) == 1) { #if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS) infof(data, "SSL: Imported cert \"%s\"\n", cert_name); -#else - do {} while(0); #endif + imported_native_ca = true; } X509_free(x509); } @@ -2953,16 +2953,12 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) if(result) return result; - - infof(data, "successfully set certificate verify locations " - "to windows ca store\n"); - } - else { - infof(data, "error setting certificate verify locations " - "to windows ca store, continuing anyway\n"); } + if(imported_native_ca) + infof(data, "successfully imported windows ca store\n"); + else + infof(data, "error importing windows ca store, continuing anyway\n"); } - else #endif #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) @@ -2998,7 +2994,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) /* tell SSL where to find CA certificates that are used to verify the servers certificate. */ if(!SSL_CTX_load_verify_locations(backend->ctx, ssl_cafile, ssl_capath)) { - if(verifypeer) { + if(verifypeer && !imported_native_ca) { /* Fail if we insist on successfully verifying the server. */ failf(data, "error setting certificate verify locations:\n" " CAfile: %s\n CApath: %s", @@ -3006,7 +3002,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) ssl_capath ? ssl_capath : "none"); return CURLE_SSL_CACERT_BADFILE; } - /* Just continue with a warning if no strict certificate verification + /* Just continue with a warning if no strict certificate verification is required. */ infof(data, "error setting certificate verify locations," " continuing anyway:\n"); @@ -3024,7 +3020,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) #endif #ifdef CURL_CA_FALLBACK - if(verifypeer && !ssl_cafile && !ssl_capath) { + if(verifypeer && !ssl_cafile && !ssl_capath && !imported_native_ca) { /* verifying the peer without any CA certificates won't work so use openssl's built in default as fallback */ SSL_CTX_set_default_verify_paths(backend->ctx); |