luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5450428491
curl/lib
History
Johannes Schindelin 5450428491 schannel: add "best effort" revocation check option 
- Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and
  --ssl-revoke-best-effort to allow a "best effort" revocation check.

A best effort revocation check ignores errors that the revocation check
was unable to take place. The reasoning is described in detail below and
discussed further in the PR.

---

When running e.g. with Fiddler, the schannel backend fails with an
unhelpful error message:

	Unknown error (0x80092012) - The revocation function was unable
	to check revocation for the certificate.

Sadly, many enterprise users who are stuck behind MITM proxies suffer
the very same problem.

This has been discussed in plenty of issues:
https://github.com/curl/curl/issues/3727,
https://github.com/curl/curl/issues/264, for example.

In the latter, a Microsoft Edge developer even made the case that the
common behavior is to ignore issues when a certificate has no recorded
distribution point for revocation lists, or when the server is offline.
This is also known as "best effort" strategy and addresses the Fiddler
issue.

Unfortunately, this strategy was not chosen as the default for schannel
(and is therefore a backend-specific behavior: OpenSSL seems to happily
ignore the offline servers and missing distribution points).

To maintain backward-compatibility, we therefore add a new flag
(`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option
(`--ssl-revoke-best-effort`) to select the new behavior.

Due to the many related issues Git for Windows and GitHub Desktop, the
plan is to make this behavior the default in these software packages.

The test 2070 was added to verify this behavior, adapted from 310.

Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com>
Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Closes https://github.com/curl/curl/pull/4981
2020-03-18 03:23:39 -04:00
..
vauth ntlm: Removed the dependency on the TLS libaries when using MD5 2020-02-23 07:52:19 +00:00
vquic version: make curl_version* thread-safe without using global context 2020-03-07 12:10:11 +01:00
vssh sftp: fix segfault regression introduced by #4747 2020-03-09 15:01:40 +01:00
vtls schannel: add "best effort" revocation check option 2020-03-18 03:23:39 -04:00
.gitattributes
.gitignore
altsvc.c altsvc: both h3 backends now speak h3-27 2020-03-02 00:07:37 +01:00
altsvc.h altsvc: make saving the cache an atomic operation 2020-02-18 07:49:21 +01:00
amigaos.c
amigaos.h
arpa_telnet.h
asyn-ares.c global_init: move the IPv6 works status bool to multi handle 2020-01-28 08:03:22 +01:00
asyn-thread.c asyn-thread: remove dead code 2020-02-09 02:27:29 -05:00
asyn.h
base64.c
checksrc.pl perl: align order and completeness of Windows OS checks 2020-03-07 11:02:43 +01:00
CMakeLists.txt
config-amigaos.h
config-dos.h build: remove all HAVE_OPENSSL_ENGINE_H defines 2020-03-01 11:06:28 +01:00
config-mac.h
config-os400.h
config-plan9.h build: remove all HAVE_OPENSSL_ENGINE_H defines 2020-03-01 11:06:28 +01:00
config-riscos.h
config-symbian.h build: remove all HAVE_OPENSSL_ENGINE_H defines 2020-03-01 11:06:28 +01:00
config-tpf.h build: remove all HAVE_OPENSSL_ENGINE_H defines 2020-03-01 11:06:28 +01:00
config-vxworks.h build: remove all HAVE_OPENSSL_ENGINE_H defines 2020-03-01 11:06:28 +01:00
config-win32.h config-win32: Windows does not have ftruncate 2020-03-07 10:58:42 +01:00
config-win32ce.h
conncache.c
conncache.h
connect.c connect: happy eyeballs cleanup 2020-03-15 11:03:11 +01:00
connect.h
content_encoding.c
content_encoding.h
cookie.c cookie: get_top_domain() sets zero length for null domains 2020-03-08 17:30:55 +01:00
cookie.h
curl_addrinfo.c
curl_addrinfo.h
curl_base64.h
curl_config.h.cmake cmake: add support for building with wolfSSL 2020-03-16 22:56:50 +01:00
curl_ctype.c
curl_ctype.h
curl_des.c
curl_des.h
curl_endian.c
curl_endian.h
curl_fnmatch.c
curl_fnmatch.h
curl_get_line.c
curl_get_line.h
curl_gethostname.c
curl_gethostname.h
curl_gssapi.c
curl_gssapi.h
curl_hmac.h ntlm: Moved the HMAC MD5 function into the HMAC module as a generic function 2020-02-24 06:56:35 +00:00
curl_ldap.h
curl_md4.h md4: Use const for the length input parameter 2020-02-23 18:47:32 +00:00
curl_md5.h md5/sha256: Updated the functions to allow non-string data to be hashed 2020-02-23 07:50:33 +00:00
curl_memory.h
curl_memrchr.c
curl_memrchr.h
curl_multibyte.c
curl_multibyte.h
curl_ntlm_core.c windows: suppress UI in all CryptAcquireContext() calls 2020-03-17 23:08:02 +00:00
curl_ntlm_core.h ntlm: Removed the dependency on the TLS libaries when using MD5 2020-02-23 07:52:19 +00:00
curl_ntlm_wb.c ntlm_wb: Use Curl_socketpair() for greater portability 2020-02-06 14:39:50 +00:00
curl_ntlm_wb.h
curl_path.c
curl_path.h
curl_printf.h
curl_range.c
curl_range.h
curl_rtmp.c
curl_rtmp.h
curl_sasl.c
curl_sasl.h
curl_sec.h
curl_setup_once.h
curl_setup.h
curl_sha256.h md5/sha256: Updated the functions to allow non-string data to be hashed 2020-02-23 07:50:33 +00:00
curl_sspi.c
curl_sspi.h
curl_threads.c
curl_threads.h
curlx.h
dict.c
dict.h
doh.c schannel: add "best effort" revocation check option 2020-03-18 03:23:39 -04:00
doh.h
dotdot.c
dotdot.h
easy.c easy: Fix curl_easy_duphandle for builds missing IPv6 that use c-ares 2020-03-14 19:07:05 -04:00
easyif.h
escape.c
escape.h
file.c
file.h
fileinfo.c
fileinfo.h
firefox-db2pem.sh
formdata.c mime: latch last read callback status. 2020-03-07 23:26:00 +01:00
formdata.h
ftp.c socks: make the connect phase non-blocking 2020-02-17 00:08:48 +01:00
ftp.h ftp: remove the duplicated user/password struct fields 2020-02-07 08:18:36 +01:00
ftplistparser.c
ftplistparser.h
getenv.c tool_home: Fix the copyright year being out of date 2020-02-13 00:40:08 +00:00
getinfo.c test 970: verify --write-out '%{json}' 2020-03-17 15:04:24 +01:00
getinfo.h
gopher.c
gopher.h
hash.c
hash.h
hmac.c ntlm: Moved the HMAC MD5 function into the HMAC module as a generic function 2020-02-24 06:56:35 +00:00
hostasyn.c
hostcheck.c
hostcheck.h
hostip4.c
hostip6.c global_init: move the IPv6 works status bool to multi handle 2020-01-28 08:03:22 +01:00
hostip.c socks: make the connect phase non-blocking 2020-02-17 00:08:48 +01:00
hostip.h socks: make the connect phase non-blocking 2020-02-17 00:08:48 +01:00
hostsyn.c
http2.c version: make curl_version* thread-safe without using global context 2020-03-07 12:10:11 +01:00
http2.h http2: make pausing/unpausing set/clear local stream window 2020-02-27 10:35:51 +01:00
http_chunks.c
http_chunks.h
http_digest.c
http_digest.h
http_negotiate.c
http_negotiate.h
http_ntlm.c
http_ntlm.h
http_proxy.c
http_proxy.h
http.c http: mark POSTs with no body as "upload done" from the start 2020-03-02 15:43:04 +01:00
http.h
idn_win32.c
if2ip.c
if2ip.h
imap.c
imap.h
inet_ntop.c
inet_ntop.h
inet_pton.c
inet_pton.h
krb5.c
ldap.c
libcurl.plist
libcurl.rc
libcurl.vers.in
llist.c
llist.h
Makefile.am
makefile.amiga
makefile.dj
Makefile.inc rename: a new file for Curl_rename() 2020-02-18 07:49:15 +01:00
Makefile.m32 Makefile.m32: Improve windres parameter compatibility 2020-03-14 19:08:17 -04:00
Makefile.netware build: remove all HAVE_OPENSSL_ENGINE_H defines 2020-03-01 11:06:28 +01:00
Makefile.vxworks
Makefile.Watcom
md4.c windows: suppress UI in all CryptAcquireContext() calls 2020-03-17 23:08:02 +00:00
md5.c windows: suppress UI in all CryptAcquireContext() calls 2020-03-17 23:08:02 +00:00
memdebug.c
memdebug.h
mime.c mime: fix the binary encoder to handle large data properly 2020-03-07 23:26:15 +01:00
mime.h mime: do not perform more than one read in a row 2020-03-07 23:26:00 +01:00
mk-ca-bundle.pl
mk-ca-bundle.vbs
mprintf.c
multi.c multi: Improve parameter check for curl_multi_remove_handle 2020-03-18 02:58:42 -04:00
multihandle.h global_init: move the IPv6 works status bool to multi handle 2020-01-28 08:03:22 +01:00
multiif.h
netrc.c
netrc.h
non-ascii.c
non-ascii.h
nonblock.c
nonblock.h
nwlib.c
nwos.c
openldap.c
parsedate.c
parsedate.h
pingpong.c
pingpong.h
pop3.c
pop3.h
progress.c
progress.h
psl.c
psl.h
quic.h
rand.c
rand.h
rename.c rename: a new file for Curl_rename() 2020-02-18 07:49:15 +01:00
rename.h rename: a new file for Curl_rename() 2020-02-18 07:49:15 +01:00
rtsp.c
rtsp.h
security.c
select.c select: add 'timeout_ms' wrap-around precaution to Curl_select 2020-03-15 11:08:27 +01:00
select.h select: move duplicate select preparation code into Curl_select 2020-03-15 11:08:27 +01:00
sendf.c http2: make pausing/unpausing set/clear local stream window 2020-02-27 10:35:51 +01:00
sendf.h
setopt.c schannel: add "best effort" revocation check option 2020-03-18 03:23:39 -04:00
setopt.h
setup-os400.h
setup-vms.h
sha256.c windows: suppress UI in all CryptAcquireContext() calls 2020-03-17 23:08:02 +00:00
share.c
share.h
sigpipe.h
slist.c
slist.h
smb.c
smb.h
smtp.c smtp: overwriting 'from' leaks memory 2020-02-28 16:52:33 +01:00
smtp.h smtp: Detect server support for the UTF-8 extension as defined in RFC-6531 2020-02-26 14:04:37 +00:00
sockaddr.h
socketpair.c
socketpair.h
socks_gssapi.c socks: make the connect phase non-blocking 2020-02-17 00:08:48 +01:00
socks_sspi.c socks: make the connect phase non-blocking 2020-02-17 00:08:48 +01:00
socks.c socks4: fix host resolve regression 2020-03-08 22:51:47 +01:00
socks.h socks: make the connect phase non-blocking 2020-02-17 00:08:48 +01:00
speedcheck.c
speedcheck.h
splay.c
splay.h
strcase.c
strcase.h
strdup.c
strdup.h
strerror.c
strerror.h strerror.h: Copyright year out of date 2020-02-12 23:07:21 +01:00
strtok.c
strtok.h
strtoofft.c
strtoofft.h
system_win32.c nit: Copyright year out of date 2020-02-19 08:04:35 +01:00
system_win32.h
telnet.c
telnet.h
tftp.c
tftp.h
timeval.c nit: Copyright year out of date 2020-02-19 08:04:35 +01:00
timeval.h
transfer.c transfer: cap retries of "dead connections" to 5 2020-03-15 11:43:47 +01:00
transfer.h
url.c Curl_is_ASCII_name: handle a NULL argument 2020-02-27 13:55:29 +01:00
url.h url: Make the IDN conversion functions available to others 2020-02-26 11:01:47 +00:00
urlapi-int.h
urlapi.c urlapi: guess scheme correct even with credentials given 2020-01-28 08:40:16 +01:00
urldata.h schannel: add "best effort" revocation check option 2020-03-18 03:23:39 -04:00
version.c writeout: support to generate JSON output 2020-03-17 15:01:28 +01:00
warnless.c
warnless.h
wildcard.c
wildcard.h
x509asn1.c
x509asn1.h