diff options
author | Jay Satiro <raysatiro@yahoo.com> | 2023-01-05 18:32:27 -0500 |
---|---|---|
committer | Jay Satiro <raysatiro@yahoo.com> | 2023-01-17 03:32:58 -0500 |
commit | c4cd0e2be96dafca24abe519999da5ab4e27b0a8 (patch) | |
tree | aa51c7b835bdd433f72f6296cf671d6ef4da0ea9 /lib/vtls | |
parent | 6113dec2a829d4ab766428ccca9535b7a5efd012 (diff) | |
download | curl-c4cd0e2be96dafca24abe519999da5ab4e27b0a8.tar.gz |
openssl: Don't ignore CA paths when using Windows CA store (redux)
.. and remove 'experimental' designation from CURLSSLOPT_NATIVE_CA.
This commit restores the behavior of CURLSSLOPT_NATIVE_CA so that it
does not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded
default locations. Instead the native Windows CA store can be used at
the same time.
---
This behavior was originally added over two years ago in abbc5d60
(#5585) but then 83393b1a (#7892) broke it over a year ago, I assume
inadvertently.
The CURLSSLOPT_NATIVE_CA feature was marked experimental and likely
rarely used.
Ref: https://github.com/curl/curl/pull/5585
Ref: https://github.com/curl/curl/pull/7892
Ref: https://curl.se/mail/lib-2023-01/0019.html
Closes https://github.com/curl/curl/pull/10244
Diffstat (limited to 'lib/vtls')
-rw-r--r-- | lib/vtls/openssl.c | 55 |
1 files changed, 36 insertions, 19 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 715515fcf..9ebb5e991 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3066,6 +3066,7 @@ static CURLcode populate_x509_store(struct Curl_cfilter *cf, const char * const ssl_crlfile = ssl_config->primary.CRLfile; const bool verifypeer = conn_config->verifypeer; bool imported_native_ca = false; + bool imported_ca_info_blob = false; if(!store) return CURLE_OUT_OF_MEMORY; @@ -3225,33 +3226,49 @@ static CURLcode populate_x509_store(struct Curl_cfilter *cf, /* Only warn if no certificate verification is required. */ infof(data, "error importing CA certificate blob, continuing anyway"); } + else { + imported_ca_info_blob = true; + infof(data, "successfully imported CA certificate blob"); + } } - if(verifypeer && !imported_native_ca && (ssl_cafile || ssl_capath)) { + if(verifypeer && (ssl_cafile || ssl_capath)) { #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) /* OpenSSL 3.0.0 has deprecated SSL_CTX_load_verify_locations */ - if(ssl_cafile && - !X509_STORE_load_file(store, ssl_cafile)) { - /* Fail if we insist on successfully verifying the server. */ - failf(data, "error setting certificate file: %s", ssl_cafile); - return CURLE_SSL_CACERT_BADFILE; + if(ssl_cafile && !X509_STORE_load_file(store, ssl_cafile)) { + if(!imported_native_ca && !imported_ca_info_blob) { + /* Fail if we insist on successfully verifying the server. */ + failf(data, "error setting certificate file: %s", ssl_cafile); + return CURLE_SSL_CACERT_BADFILE; + } + else + infof(data, "error setting certificate file, continuing anyway"); } - if(ssl_capath && - !X509_STORE_load_path(store, ssl_capath)) { - /* Fail if we insist on successfully verifying the server. */ - failf(data, "error setting certificate path: %s", ssl_capath); - return CURLE_SSL_CACERT_BADFILE; + if(ssl_capath && !X509_STORE_load_path(store, ssl_capath)) { + if(!imported_native_ca && !imported_ca_info_blob) { + /* Fail if we insist on successfully verifying the server. */ + failf(data, "error setting certificate path: %s", ssl_capath); + return CURLE_SSL_CACERT_BADFILE; + } + else + infof(data, "error setting certificate path, continuing anyway"); } #else /* tell OpenSSL where to find CA certificates that are used to verify the server's certificate. */ if(!X509_STORE_load_locations(store, ssl_cafile, ssl_capath)) { - /* Fail if we insist on successfully verifying the server. */ - failf(data, "error setting certificate verify locations:" - " CAfile: %s CApath: %s", - ssl_cafile ? ssl_cafile : "none", - ssl_capath ? ssl_capath : "none"); - return CURLE_SSL_CACERT_BADFILE; + if(!imported_native_ca && !imported_ca_info_blob) { + /* Fail if we insist on successfully verifying the server. */ + failf(data, "error setting certificate verify locations:" + " CAfile: %s CApath: %s", + ssl_cafile ? ssl_cafile : "none", + ssl_capath ? ssl_capath : "none"); + return CURLE_SSL_CACERT_BADFILE; + } + else { + infof(data, "error setting certificate verify locations," + " continuing anyway"); + } } #endif infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none"); @@ -3259,8 +3276,8 @@ static CURLcode populate_x509_store(struct Curl_cfilter *cf, } #ifdef CURL_CA_FALLBACK - if(verifypeer && - !ca_info_blob && !ssl_cafile && !ssl_capath && !imported_native_ca) { + if(verifypeer && !ssl_cafile && !ssl_capath && + !imported_native_ca && !imported_ca_info_blob) { /* verifying the peer without any CA certificates won't work so use openssl's built-in default as fallback */ X509_STORE_set_default_paths(store); |