luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

openssl: Don't ignore CA paths when using Windows CA store

Browse Source 
This commit changes the behavior of CURLSSLOPT_NATIVE_CA so that it does
not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default
locations. Instead the CA store can now be used at the same time.

The change is due to the impending release. The issue is still being
discussed. The behavior of CURLSSLOPT_NATIVE_CA is subject to change and
is now documented as experimental.

Ref: bc052cc (parent commit)
Ref: https://github.com/curl/curl/issues/5585
This commit is contained in:
Jay Satiro 2020-06-22 12:01:32 -04:00
parent bc052cc878
commit abbc5d6044
3 changed files with 13 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/EXPERIMENTAL.md
View File

@ -21,3 +21,4 @@ Experimental support in curl means:
- HTTP/3 support and options - HTTP/3 support and options
- alt-svc support and options - alt-svc support and options
- MQTT - MQTT
- CURLSSLOPT_NATIVE_CA (No configure option, feature built in when supported)

5
docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
View File

@ -57,8 +57,9 @@ library). If combined with \fICURLSSLOPT_NO_REVOKE\fP, the latter takes
precedence. (Added in 7.70.0) precedence. (Added in 7.70.0)
.IP CURLSSLOPT_NATIVE_CA .IP CURLSSLOPT_NATIVE_CA
Tell libcurl to use the operating system's native CA store for certificate Tell libcurl to use the operating system's native CA store for certificate
verifiction. Works only on Windows when built to use OpenSSL. This option verification. Works only on Windows when built to use OpenSSL. This option is
overrides \fICURLOPT_CAINFO(3)\fP if both are set. (Added in 7.71.0) experimental and behavior is subject to change.
(Added in 7.71.0)
.SH DEFAULT .SH DEFAULT
0 0
.SH PROTOCOLS .SH PROTOCOLS

22
lib/vtls/openssl.c
View File

@ -2488,6 +2488,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
char error_buffer[256]; char error_buffer[256];
struct ssl_backend_data *backend = connssl->backend; struct ssl_backend_data *backend = connssl->backend;
bool imported_native_ca = false;
DEBUGASSERT(ssl_connect_1 == connssl->connecting_state); DEBUGASSERT(ssl_connect_1 == connssl->connecting_state);
@ -2940,9 +2941,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
if(X509_STORE_add_cert(store, x509) == 1) { if(X509_STORE_add_cert(store, x509) == 1) {
#if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS) #if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS)
infof(data, "SSL: Imported cert \"%s\"\n", cert_name); infof(data, "SSL: Imported cert \"%s\"\n", cert_name);
#else
do {} while(0);
#endif #endif
imported_native_ca = true;
} }
X509_free(x509); X509_free(x509);
} }
@ -2953,16 +2953,12 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
if(result) if(result)
return result; return result;
infof(data, "successfully set certificate verify locations "
"to windows ca store\n");
}
else {
infof(data, "error setting certificate verify locations "
"to windows ca store, continuing anyway\n");
} }
if(imported_native_ca)
infof(data, "successfully imported windows ca store\n");
else
infof(data, "error importing windows ca store, continuing anyway\n");
} }
else
#endif #endif
#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
@ -2998,7 +2994,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
/* tell SSL where to find CA certificates that are used to verify /* tell SSL where to find CA certificates that are used to verify
the servers certificate. */ the servers certificate. */
if(!SSL_CTX_load_verify_locations(backend->ctx, ssl_cafile, ssl_capath)) { if(!SSL_CTX_load_verify_locations(backend->ctx, ssl_cafile, ssl_capath)) {
if(verifypeer) { if(verifypeer && !imported_native_ca) {
/* Fail if we insist on successfully verifying the server. */ /* Fail if we insist on successfully verifying the server. */
failf(data, "error setting certificate verify locations:\n" failf(data, "error setting certificate verify locations:\n"
" CAfile: %s\n CApath: %s", " CAfile: %s\n CApath: %s",
@ -3006,7 +3002,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
ssl_capath ? ssl_capath : "none"); ssl_capath ? ssl_capath : "none");
return CURLE_SSL_CACERT_BADFILE; return CURLE_SSL_CACERT_BADFILE;
} }
/* Just continue with a warning if no strict certificate verification /* Just continue with a warning if no strict certificate verification
is required. */ is required. */
infof(data, "error setting certificate verify locations," infof(data, "error setting certificate verify locations,"
" continuing anyway:\n"); " continuing anyway:\n");
@ -3024,7 +3020,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
#endif #endif
#ifdef CURL_CA_FALLBACK #ifdef CURL_CA_FALLBACK
if(verifypeer && !ssl_cafile && !ssl_capath) { if(verifypeer && !ssl_cafile && !ssl_capath && !imported_native_ca) {
/* verifying the peer without any CA certificates won't /* verifying the peer without any CA certificates won't
work so use openssl's built in default as fallback */ work so use openssl's built in default as fallback */
SSL_CTX_set_default_verify_paths(backend->ctx); SSL_CTX_set_default_verify_paths(backend->ctx);