diff options
author | ejanchivdorj <ejanchivdorj@tableau.com> | 2021-03-10 23:50:13 -0800 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2021-05-03 17:11:01 +0200 |
commit | 94241a9e78397a2aaf89a213e6ada61e7de7ee02 (patch) | |
tree | 20226064392759a6e5f957923d5298e26bcb66fc | |
parent | 0acfe05c2ec01545aae7c3cfdfda91a71b1b24dc (diff) | |
download | curl-94241a9e78397a2aaf89a213e6ada61e7de7ee02.tar.gz |
CURLcode: add CURLE_SSL_CLIENTCERT
When a TLS server requests a client certificate during handshake and
none can be provided, libcurl now returns this new error code
CURLE_SSL_CLIENTCERT
Only supported by Secure Transport and OpenSSL for TLS 1.3 so far.
Closes #6721
-rw-r--r-- | docs/libcurl/libcurl-errors.3 | 2 | ||||
-rw-r--r-- | docs/libcurl/symbols-in-versions | 1 | ||||
-rw-r--r-- | include/curl/curl.h | 1 | ||||
-rw-r--r-- | lib/strerror.c | 5 | ||||
-rw-r--r-- | lib/vtls/openssl.c | 13 | ||||
-rw-r--r-- | lib/vtls/sectransp.c | 5 | ||||
-rw-r--r-- | tests/data/test1538 | 3 |
7 files changed, 26 insertions, 4 deletions
diff --git a/docs/libcurl/libcurl-errors.3 b/docs/libcurl/libcurl-errors.3 index ae8c674e9..82005f21f 100644 --- a/docs/libcurl/libcurl-errors.3 +++ b/docs/libcurl/libcurl-errors.3 @@ -262,6 +262,8 @@ be one out of several problems, see the error buffer for details. .IP "CURLE_QUIC_CONNECT_ERROR (96)" QUIC connection error. This error may be caused by an SSL library error. QUIC is the protocol used for HTTP/3 transfers. +.IP "CURLE_SSL_CLIENTCERT (98)" +SSL Client Certificate required. .IP "CURLE_OBSOLETE*" These error codes will never be returned. They were used in an old libcurl version and are currently unused. diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions index 0d089ec43..9e27f5ef0 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions @@ -126,6 +126,7 @@ CURLE_SSL_CACERT 7.10 7.62.0 CURLE_SSL_CACERT_BADFILE 7.16.0 CURLE_SSL_CERTPROBLEM 7.10 CURLE_SSL_CIPHER 7.10 +CURLE_SSL_CLIENTCERT 7.77.0 CURLE_SSL_CONNECT_ERROR 7.1 CURLE_SSL_CRL_BADFILE 7.19.0 CURLE_SSL_ENGINE_INITFAILED 7.12.3 diff --git a/include/curl/curl.h b/include/curl/curl.h index cd3207b1f..1354fba32 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -612,6 +612,7 @@ typedef enum { CURLE_HTTP3, /* 95 - An HTTP/3 layer problem */ CURLE_QUIC_CONNECT_ERROR, /* 96 - QUIC connection error */ CURLE_PROXY, /* 97 - proxy handshake error */ + CURLE_SSL_CLIENTCERT, /* 98 - client-side certificate required */ CURL_LAST /* never use! */ } CURLcode; diff --git a/lib/strerror.c b/lib/strerror.c index 3862aabd6..5298a0d76 100644 --- a/lib/strerror.c +++ b/lib/strerror.c @@ -320,9 +320,12 @@ curl_easy_strerror(CURLcode error) case CURLE_QUIC_CONNECT_ERROR: return "QUIC connection error"; - case CURLE_PROXY: + case CURLE_PROXY: return "proxy handshake error"; + case CURLE_SSL_CLIENTCERT: + return "SSL Client Certificate required"; + /* error codes not used by current libcurl */ case CURLE_OBSOLETE20: case CURLE_OBSOLETE24: diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index e1c15addd..de484d563 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3292,6 +3292,19 @@ static CURLcode ossl_connect_step2(struct Curl_easy *data, error_buffer */ strcpy(error_buffer, "SSL certificate verification failed"); } +#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \ + !defined(LIBRESSL_VERSION_NUMBER) && \ + !defined(OPENSSL_IS_BORINGSSL)) + /* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on + OpenSSL version above v1.1.1, not Libre SSL nor BoringSSL */ + else if((lib == ERR_LIB_SSL) && + (reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)) { + /* If client certificate is required, communicate the + error to client */ + result = CURLE_SSL_CLIENTCERT; + ossl_strerror(errdetail, error_buffer, sizeof(error_buffer)); + } +#endif else { result = CURLE_SSL_CONNECT_ERROR; ossl_strerror(errdetail, error_buffer, sizeof(error_buffer)); diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c index 446568205..6ec37a3cc 100644 --- a/lib/vtls/sectransp.c +++ b/lib/vtls/sectransp.c @@ -2708,8 +2708,9 @@ sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn, #if CURL_BUILD_MAC_10_6 /* Only returned when kSSLSessionOptionBreakOnCertRequested is set */ case errSSLClientCertRequested: - failf(data, "The server has requested a client certificate"); - break; + failf(data, "Server requested a client certificate during the " + "handshake"); + return CURLE_SSL_CLIENTCERT; #endif #if CURL_BUILD_MAC_10_9 /* Alias for errSSLLast, end of error range */ diff --git a/tests/data/test1538 b/tests/data/test1538 index ec86dd075..4d7535ced 100644 --- a/tests/data/test1538 +++ b/tests/data/test1538 @@ -130,7 +130,8 @@ e94: An authentication function returned an error e95: HTTP/3 error e96: QUIC connection error e97: proxy handshake error -e98: Unknown error +e98: SSL Client Certificate required +e99: Unknown error m-1: Please call curl_multi_perform() soon m0: No error m1: Invalid multi handle |