diff --git a/CHANGES b/CHANGES index 67020ae4d..6d91774b2 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,11 @@ Changelog +Daniel (21 October 2006) +- Armel Asselin separated CA cert verification problems from problems with + reading the (local) CA cert file to let users easier pinpoint the actual + problem. CURLE_SSL_CACERT_BADFILE (77) is the new libcurl error code. + Daniel (18 October 2006) - Removed the "protocol-guessing" for URLs with host names starting with FTPS or TELNET since they are practically non-existant. This leaves us with only diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 6fd5cc1cb..1d8f64241 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -10,7 +10,8 @@ Curl and libcurl 7.16.0 Number of contributors: 515 This release includes the following changes: - + + o Added CURLE_SSL_CACERT_BADFILE o Added CURLMOPT_TIMERFUNCTION o The CURLOPT_SOURCE_* options are removed and so are the --3p* command line options diff --git a/docs/libcurl/libcurl-errors.3 b/docs/libcurl/libcurl-errors.3 index 1d6936002..062bf83de 100644 --- a/docs/libcurl/libcurl-errors.3 +++ b/docs/libcurl/libcurl-errors.3 @@ -174,7 +174,7 @@ problem with the local client certificate .IP "CURLE_SSL_CIPHER (59)" couldn't use specified cipher .IP "CURLE_SSL_CACERT (60)" -problem with the CA cert (path? access rights?) +peer certificate cannot be authenticated with known CA certificates .IP "CURLE_BAD_CONTENT_ENCODING (61)" Unrecognized transfer encoding .IP "CURLE_LDAP_INVALID_URL (62)" @@ -208,6 +208,8 @@ No such TFTP user Character conversion failed .IP "CURLE_CONV_REQD (76)" Caller must register conversion callbacks +.IP "CURLE_SSL_CACERT_BADFILE (77)" +Problem with reading the SSL CA cert (path? access rights?) .SH "CURLMcode" This is the generic return code used by functions in the libcurl multi interface. Also consider \fIcurl_multi_strerror(3)\fP. diff --git a/include/curl/curl.h b/include/curl/curl.h index 548c7f848..36b52bb05 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -390,6 +390,8 @@ typedef enum { CURLOPT_CONV_FROM_NETWORK_FUNCTION, CURLOPT_CONV_TO_NETWORK_FUNCTION, and CURLOPT_CONV_FROM_UTF8_FUNCTION */ + CURLE_SSL_CACERT_BADFILE, /* 77 - could not load CACERT file, missing + or wrong format */ CURL_LAST /* never use! */ } CURLcode; diff --git a/lib/gtls.c b/lib/gtls.c index b202adfd4..02680d02b 100644 --- a/lib/gtls.c +++ b/lib/gtls.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2005, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2006, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -234,9 +234,12 @@ Curl_gtls_connect(struct connectdata *conn, rc = gnutls_certificate_set_x509_trust_file(conn->ssl[sockindex].cred, data->set.ssl.CAfile, GNUTLS_X509_FMT_PEM); - if(rc < 0) + if(rc < 0) { infof(data, "error reading ca cert file %s (%s)\n", data->set.ssl.CAfile, gnutls_strerror(rc)); + if (data->set.ssl.verifypeer) + return CURLE_SSL_CACERT_BADFILE; + } else infof(data, "found %d certificates in %s\n", rc, data->set.ssl.CAfile); diff --git a/lib/ssluse.c b/lib/ssluse.c index 2d6a6fed6..28c2ef62b 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1272,7 +1272,7 @@ Curl_ossl_connect_step1(struct connectdata *conn, " CAfile: %s\n CApath: %s\n", data->set.ssl.CAfile ? data->set.ssl.CAfile : "none", data->set.ssl.CApath ? data->set.ssl.CApath : "none"); - return CURLE_SSL_CACERT; + return CURLE_SSL_CACERT_BADFILE; } else { /* Just continue with a warning if no strict certificate verification diff --git a/lib/strerror.c b/lib/strerror.c index 62ccfe9a0..3e466c688 100644 --- a/lib/strerror.c +++ b/lib/strerror.c @@ -227,6 +227,9 @@ curl_easy_strerror(CURLcode error) return "couldn't use specified SSL cipher"; case CURLE_SSL_CACERT: + return "peer certificate cannot be authenticated with known CA certificates"; + + case CURLE_SSL_CACERT_BADFILE: return "problem with the SSL CA cert (path? access rights?)"; case CURLE_BAD_CONTENT_ENCODING: diff --git a/tests/data/test305 b/tests/data/test305 index f814225b9..0e01ea2e9 100644 --- a/tests/data/test305 +++ b/tests/data/test305 @@ -28,6 +28,6 @@ https://%HOSTIP:%HTTPSPORT/want/305 --cacert moooo -60 +77