mirror of
https://github.com/moparisthebest/curl
synced 2024-08-13 17:03:50 -04:00
openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
Closes #4655
This commit is contained in:
parent
94f1f77158
commit
564d88a8bd
@ -28,23 +28,27 @@ CURLOPT_SSL_OPTIONS \- set SSL behavior options
|
|||||||
|
|
||||||
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_OPTIONS, long bitmask);
|
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_OPTIONS, long bitmask);
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
Pass a long with a bitmask to tell libcurl about specific SSL behaviors.
|
Pass a long with a bitmask to tell libcurl about specific SSL
|
||||||
|
behaviors. Available bits:
|
||||||
\fICURLSSLOPT_ALLOW_BEAST\fP tells libcurl to not attempt to use any
|
.IP CURLSSLOPT_ALLOW_BEAST
|
||||||
workarounds for a security flaw in the SSL3 and TLS1.0 protocols. If this
|
Tells libcurl to not attempt to use any workarounds for a security flaw in the
|
||||||
option isn't used or this bit is set to 0, the SSL layer libcurl uses may use a
|
SSL3 and TLS1.0 protocols. If this option isn't used or this bit is set to 0,
|
||||||
work-around for this flaw although it might cause interoperability problems
|
the SSL layer libcurl uses may use a work-around for this flaw although it
|
||||||
with some (older) SSL implementations. WARNING: avoiding this work-around
|
might cause interoperability problems with some (older) SSL
|
||||||
lessens the security, and by setting this option to 1 you ask for exactly that.
|
implementations. WARNING: avoiding this work-around lessens the security, and
|
||||||
This option is only supported for DarwinSSL, NSS and OpenSSL.
|
by setting this option to 1 you ask for exactly that. This option is only
|
||||||
|
supported for DarwinSSL, NSS and OpenSSL.
|
||||||
Added in 7.44.0:
|
.IP CURLSSLOPT_NO_REVOKE
|
||||||
|
Tells libcurl to disable certificate revocation checks for those SSL backends
|
||||||
\fICURLSSLOPT_NO_REVOKE\fP tells libcurl to disable certificate revocation
|
where such behavior is present. This option is only supported for Schannel
|
||||||
checks for those SSL backends where such behavior is present. This option is
|
(the native Windows SSL library), with an exception in the case of Windows'
|
||||||
only supported for Schannel (the native Windows SSL library), with an
|
Untrusted Publishers blacklist which it seems can't be bypassed. (Added in
|
||||||
exception in the case of Windows' Untrusted Publishers blacklist which it
|
7.44.0)
|
||||||
seems can't be bypassed.
|
.IP CURLSSLOPT_NO_PARTIALCHAIN
|
||||||
|
Tells libcurl to not accept "partial" certificate chains, which it otherwise
|
||||||
|
does by default. This option is only supported for OpenSSL and will fail the
|
||||||
|
certificate verification if the chain ends with an intermediate certificate
|
||||||
|
and not with a root cert. (Added in 7.68.0)
|
||||||
.SH DEFAULT
|
.SH DEFAULT
|
||||||
0
|
0
|
||||||
.SH PROTOCOLS
|
.SH PROTOCOLS
|
||||||
|
@ -738,6 +738,7 @@ CURLSSLBACKEND_SCHANNEL 7.34.0
|
|||||||
CURLSSLBACKEND_SECURETRANSPORT 7.64.1
|
CURLSSLBACKEND_SECURETRANSPORT 7.64.1
|
||||||
CURLSSLBACKEND_WOLFSSL 7.49.0
|
CURLSSLBACKEND_WOLFSSL 7.49.0
|
||||||
CURLSSLOPT_ALLOW_BEAST 7.25.0
|
CURLSSLOPT_ALLOW_BEAST 7.25.0
|
||||||
|
CURLSSLOPT_NO_PARTIALCHAIN 7.68.0
|
||||||
CURLSSLOPT_NO_REVOKE 7.44.0
|
CURLSSLOPT_NO_REVOKE 7.44.0
|
||||||
CURLSSLSET_NO_BACKENDS 7.56.0
|
CURLSSLSET_NO_BACKENDS 7.56.0
|
||||||
CURLSSLSET_OK 7.56.0
|
CURLSSLSET_OK 7.56.0
|
||||||
|
@ -828,6 +828,10 @@ typedef enum {
|
|||||||
SSL backends where such behavior is present. */
|
SSL backends where such behavior is present. */
|
||||||
#define CURLSSLOPT_NO_REVOKE (1<<1)
|
#define CURLSSLOPT_NO_REVOKE (1<<1)
|
||||||
|
|
||||||
|
/* - NO_PARTIALCHAIN tells libcurl to *NOT* accept a partial certificate chain
|
||||||
|
if possible. The OpenSSL backend has this ability. */
|
||||||
|
#define CURLSSLOPT_NO_PARTIALCHAIN (1<<2)
|
||||||
|
|
||||||
/* The default connection attempt delay in milliseconds for happy eyeballs.
|
/* The default connection attempt delay in milliseconds for happy eyeballs.
|
||||||
CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.3 and happy-eyeballs-timeout-ms.d document
|
CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.3 and happy-eyeballs-timeout-ms.d document
|
||||||
this value, keep them in sync. */
|
this value, keep them in sync. */
|
||||||
|
@ -2133,6 +2133,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
|||||||
data->set.ssl.enable_beast =
|
data->set.ssl.enable_beast =
|
||||||
(bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
|
(bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
|
||||||
data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
|
data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
|
||||||
|
data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
#ifndef CURL_DISABLE_PROXY
|
#ifndef CURL_DISABLE_PROXY
|
||||||
|
@ -257,6 +257,7 @@ struct ssl_config_data {
|
|||||||
BIT(falsestart);
|
BIT(falsestart);
|
||||||
BIT(enable_beast); /* allow this flaw for interoperability's sake*/
|
BIT(enable_beast); /* allow this flaw for interoperability's sake*/
|
||||||
BIT(no_revoke); /* disable SSL certificate revocation checks */
|
BIT(no_revoke); /* disable SSL certificate revocation checks */
|
||||||
|
BIT(no_partialchain); /* don't accept partial certificate chains */
|
||||||
};
|
};
|
||||||
|
|
||||||
struct ssl_general_config {
|
struct ssl_general_config {
|
||||||
|
@ -2786,12 +2786,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
|||||||
X509_V_FLAG_TRUSTED_FIRST);
|
X509_V_FLAG_TRUSTED_FIRST);
|
||||||
#endif
|
#endif
|
||||||
#ifdef X509_V_FLAG_PARTIAL_CHAIN
|
#ifdef X509_V_FLAG_PARTIAL_CHAIN
|
||||||
|
if(!SSL_SET_OPTION(no_partialchain)) {
|
||||||
/* Have intermediate certificates in the trust store be treated as
|
/* Have intermediate certificates in the trust store be treated as
|
||||||
trust-anchors, in the same way as self-signed root CA certificates
|
trust-anchors, in the same way as self-signed root CA certificates
|
||||||
are. This allows users to verify servers using the intermediate cert
|
are. This allows users to verify servers using the intermediate cert
|
||||||
only, instead of needing the whole chain. */
|
only, instead of needing the whole chain. */
|
||||||
X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
|
X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
|
||||||
X509_V_FLAG_PARTIAL_CHAIN);
|
X509_V_FLAG_PARTIAL_CHAIN);
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user