moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-08-13 17:03:50 -04:00
Code Issues Releases Wiki Activity

openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains

Browse Source 
Closes #4655
This commit is contained in:
Daniel Stenberg 2019-12-02 10:55:33 +01:00
parent 94f1f77158
commit 564d88a8bd
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
6 changed files with 36 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
View File

@ -28,23 +28,27 @@ CURLOPT_SSL_OPTIONS \- set SSL behavior options
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_OPTIONS, long bitmask); CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_OPTIONS, long bitmask);
.SH DESCRIPTION .SH DESCRIPTION
Pass a long with a bitmask to tell libcurl about specific SSL behaviors. Pass a long with a bitmask to tell libcurl about specific SSL
behaviors. Available bits:
\fICURLSSLOPT_ALLOW_BEAST\fP tells libcurl to not attempt to use any .IP CURLSSLOPT_ALLOW_BEAST
workarounds for a security flaw in the SSL3 and TLS1.0 protocols. If this Tells libcurl to not attempt to use any workarounds for a security flaw in the
option isn't used or this bit is set to 0, the SSL layer libcurl uses may use a SSL3 and TLS1.0 protocols. If this option isn't used or this bit is set to 0,
work-around for this flaw although it might cause interoperability problems the SSL layer libcurl uses may use a work-around for this flaw although it
with some (older) SSL implementations. WARNING: avoiding this work-around might cause interoperability problems with some (older) SSL
lessens the security, and by setting this option to 1 you ask for exactly that. implementations. WARNING: avoiding this work-around lessens the security, and
This option is only supported for DarwinSSL, NSS and OpenSSL. by setting this option to 1 you ask for exactly that. This option is only
supported for DarwinSSL, NSS and OpenSSL.
Added in 7.44.0: .IP CURLSSLOPT_NO_REVOKE
Tells libcurl to disable certificate revocation checks for those SSL backends
\fICURLSSLOPT_NO_REVOKE\fP tells libcurl to disable certificate revocation where such behavior is present. This option is only supported for Schannel
checks for those SSL backends where such behavior is present. This option is (the native Windows SSL library), with an exception in the case of Windows'
only supported for Schannel (the native Windows SSL library), with an Untrusted Publishers blacklist which it seems can't be bypassed. (Added in
exception in the case of Windows' Untrusted Publishers blacklist which it 7.44.0)
seems can't be bypassed. .IP CURLSSLOPT_NO_PARTIALCHAIN
Tells libcurl to not accept "partial" certificate chains, which it otherwise
does by default. This option is only supported for OpenSSL and will fail the
certificate verification if the chain ends with an intermediate certificate
and not with a root cert. (Added in 7.68.0)
.SH DEFAULT .SH DEFAULT
0 0
.SH PROTOCOLS .SH PROTOCOLS

1
docs/libcurl/symbols-in-versions
View File

@ -738,6 +738,7 @@ CURLSSLBACKEND_SCHANNEL 7.34.0
CURLSSLBACKEND_SECURETRANSPORT 7.64.1 CURLSSLBACKEND_SECURETRANSPORT 7.64.1
CURLSSLBACKEND_WOLFSSL 7.49.0 CURLSSLBACKEND_WOLFSSL 7.49.0
CURLSSLOPT_ALLOW_BEAST 7.25.0 CURLSSLOPT_ALLOW_BEAST 7.25.0
CURLSSLOPT_NO_PARTIALCHAIN 7.68.0
CURLSSLOPT_NO_REVOKE 7.44.0 CURLSSLOPT_NO_REVOKE 7.44.0
CURLSSLSET_NO_BACKENDS 7.56.0 CURLSSLSET_NO_BACKENDS 7.56.0
CURLSSLSET_OK 7.56.0 CURLSSLSET_OK 7.56.0

4
include/curl/curl.h
View File

@ -828,6 +828,10 @@ typedef enum {
SSL backends where such behavior is present. */ SSL backends where such behavior is present. */
#define CURLSSLOPT_NO_REVOKE (1<<1) #define CURLSSLOPT_NO_REVOKE (1<<1)
/* - NO_PARTIALCHAIN tells libcurl to *NOT* accept a partial certificate chain
if possible. The OpenSSL backend has this ability. */
#define CURLSSLOPT_NO_PARTIALCHAIN (1<<2)
/* The default connection attempt delay in milliseconds for happy eyeballs. /* The default connection attempt delay in milliseconds for happy eyeballs.
CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.3 and happy-eyeballs-timeout-ms.d document CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.3 and happy-eyeballs-timeout-ms.d document
this value, keep them in sync. */ this value, keep them in sync. */

1
lib/setopt.c
View File

@ -2133,6 +2133,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
data->set.ssl.enable_beast = data->set.ssl.enable_beast =
(bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE); (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
break; break;
#ifndef CURL_DISABLE_PROXY #ifndef CURL_DISABLE_PROXY

1
lib/urldata.h
View File

@ -257,6 +257,7 @@ struct ssl_config_data {
BIT(falsestart); BIT(falsestart);
BIT(enable_beast); /* allow this flaw for interoperability's sake*/ BIT(enable_beast); /* allow this flaw for interoperability's sake*/
BIT(no_revoke); /* disable SSL certificate revocation checks */ BIT(no_revoke); /* disable SSL certificate revocation checks */
BIT(no_partialchain); /* don't accept partial certificate chains */
}; };
struct ssl_general_config { struct ssl_general_config {

2
lib/vtls/openssl.c
View File

@ -2786,12 +2786,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
X509_V_FLAG_TRUSTED_FIRST); X509_V_FLAG_TRUSTED_FIRST);
#endif #endif
#ifdef X509_V_FLAG_PARTIAL_CHAIN #ifdef X509_V_FLAG_PARTIAL_CHAIN
if(!SSL_SET_OPTION(no_partialchain)) {
/* Have intermediate certificates in the trust store be treated as /* Have intermediate certificates in the trust store be treated as
trust-anchors, in the same way as self-signed root CA certificates trust-anchors, in the same way as self-signed root CA certificates
are. This allows users to verify servers using the intermediate cert are. This allows users to verify servers using the intermediate cert
only, instead of needing the whole chain. */ only, instead of needing the whole chain. */
X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx), X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
X509_V_FLAG_PARTIAL_CHAIN); X509_V_FLAG_PARTIAL_CHAIN);
}
#endif #endif
} }