summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLudwig Nussel <ludwig.nussel@suse.de>2015-03-24 13:25:17 +0100
committerDaniel Stenberg <daniel@haxx.se>2016-02-08 14:45:58 +0100
commit7b55279d1d856c9ef19d942c2672a3d616254452 (patch)
tree178da7437e093731e538402eb33b893224611389
parent113f04e664b16b944e64498a73a4dab990fe9a68 (diff)
downloadcurl-7b55279d1d856c9ef19d942c2672a3d616254452.tar.gz
configure: --with-ca-fallback: use built-in TLS CA fallback
When trying to verify a peer without having any root CA certificates set, this makes libcurl use the TLS library's built in default as fallback. Closes #569
-rw-r--r--acinclude.m418
-rw-r--r--configure.ac1
-rw-r--r--lib/vtls/gtls.c10
-rw-r--r--lib/vtls/openssl.c7
4 files changed, 35 insertions, 1 deletions
diff --git a/acinclude.m4 b/acinclude.m4
index ce61ca6b5..037c27d7c 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -2665,6 +2665,24 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
if test "x$ca" = "xno" && test "x$capath" = "xno"; then
AC_MSG_RESULT([no])
fi
+
+ AC_MSG_CHECKING([whether to use builtin CA store of SSL library])
+ AC_ARG_WITH(ca-fallback,
+AC_HELP_STRING([--with-ca-fallback], [Use the built in CA store of the SSL library])
+AC_HELP_STRING([--without-ca-fallback], [Don't use the built in CA store of the SSL library]),
+ [
+ if test "x$with_ca_fallback" != "xyes" -a "x$with_ca_fallback" != "xno"; then
+ AC_MSG_ERROR([--with-ca-fallback only allows yes or no as parameter])
+ fi
+ ],
+ [ with_ca_fallback="no"])
+ AC_MSG_RESULT([$with_ca_fallback])
+ if test "x$with_ca_fallback" = "xyes"; then
+ if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1"; then
+ AC_MSG_ERROR([--with-ca-fallback only works with OpenSSL or GnuTLS])
+ fi
+ AC_DEFINE_UNQUOTED(CURL_CA_FALLBACK, 1, [define "1" to use built in CA store of SSL library ])
+ fi
])
diff --git a/configure.ac b/configure.ac
index 4c9862fc4..3b4139328 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3895,6 +3895,7 @@ AC_MSG_NOTICE([Configured to build curl/libcurl:
SSPI support: ${curl_sspi_msg}
ca cert bundle: ${ca}
ca cert path: ${capath}
+ ca fallback: ${with_ca_fallback}
LDAP support: ${curl_ldap_msg}
LDAPS support: ${curl_ldaps_msg}
RTSP support: ${curl_rtsp_msg}
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index a9702c4a4..2c7eb1729 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -487,6 +487,14 @@ gtls_connect_step1(struct connectdata *conn,
}
#endif
+#ifdef CURL_CA_FALLBACK
+ /* use system ca certificate store as fallback */
+ if(data->set.ssl.verifypeer &&
+ !(data->set.ssl.CAfile || data->set.ssl.CApath)) {
+ gnutls_certificate_set_x509_system_trust(conn->ssl[sockindex].cred);
+ }
+#endif
+
if(data->set.ssl.CRLfile) {
/* set the CRL list file */
rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred,
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 70cfb84af..b36c6a611 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1960,6 +1960,13 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
data->set.str[STRING_SSL_CAPATH] ? data->set.str[STRING_SSL_CAPATH]:
"none");
}
+#ifdef CURL_CA_FALLBACK
+ else if(data->set.ssl.verifypeer) {
+ /* verfying the peer without any CA certificates won't
+ work so use openssl's built in default as fallback */
+ SSL_CTX_set_default_verify_paths(connssl->ctx);
+ }
+#endif
if(data->set.str[STRING_SSL_CRLFILE]) {
/* tell SSL where to find CRL file that is used to check certificate