mirror of
https://github.com/moparisthebest/curl
synced 2024-12-21 23:58:49 -05:00
configure: --with-ca-fallback: use built-in TLS CA fallback
When trying to verify a peer without having any root CA certificates set, this makes libcurl use the TLS library's built in default as fallback. Closes #569
This commit is contained in:
parent
113f04e664
commit
7b55279d1d
18
acinclude.m4
18
acinclude.m4
@ -2665,6 +2665,24 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
|
||||
if test "x$ca" = "xno" && test "x$capath" = "xno"; then
|
||||
AC_MSG_RESULT([no])
|
||||
fi
|
||||
|
||||
AC_MSG_CHECKING([whether to use builtin CA store of SSL library])
|
||||
AC_ARG_WITH(ca-fallback,
|
||||
AC_HELP_STRING([--with-ca-fallback], [Use the built in CA store of the SSL library])
|
||||
AC_HELP_STRING([--without-ca-fallback], [Don't use the built in CA store of the SSL library]),
|
||||
[
|
||||
if test "x$with_ca_fallback" != "xyes" -a "x$with_ca_fallback" != "xno"; then
|
||||
AC_MSG_ERROR([--with-ca-fallback only allows yes or no as parameter])
|
||||
fi
|
||||
],
|
||||
[ with_ca_fallback="no"])
|
||||
AC_MSG_RESULT([$with_ca_fallback])
|
||||
if test "x$with_ca_fallback" = "xyes"; then
|
||||
if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1"; then
|
||||
AC_MSG_ERROR([--with-ca-fallback only works with OpenSSL or GnuTLS])
|
||||
fi
|
||||
AC_DEFINE_UNQUOTED(CURL_CA_FALLBACK, 1, [define "1" to use built in CA store of SSL library ])
|
||||
fi
|
||||
])
|
||||
|
||||
|
||||
|
@ -3895,6 +3895,7 @@ AC_MSG_NOTICE([Configured to build curl/libcurl:
|
||||
SSPI support: ${curl_sspi_msg}
|
||||
ca cert bundle: ${ca}
|
||||
ca cert path: ${capath}
|
||||
ca fallback: ${with_ca_fallback}
|
||||
LDAP support: ${curl_ldap_msg}
|
||||
LDAPS support: ${curl_ldaps_msg}
|
||||
RTSP support: ${curl_rtsp_msg}
|
||||
|
@ -5,7 +5,7 @@
|
||||
* | (__| |_| | _ <| |___
|
||||
* \___|\___/|_| \_\_____|
|
||||
*
|
||||
* Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
* Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
*
|
||||
* This software is licensed as described in the file COPYING, which
|
||||
* you should have received as part of this distribution. The terms
|
||||
@ -487,6 +487,14 @@ gtls_connect_step1(struct connectdata *conn,
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef CURL_CA_FALLBACK
|
||||
/* use system ca certificate store as fallback */
|
||||
if(data->set.ssl.verifypeer &&
|
||||
!(data->set.ssl.CAfile || data->set.ssl.CApath)) {
|
||||
gnutls_certificate_set_x509_system_trust(conn->ssl[sockindex].cred);
|
||||
}
|
||||
#endif
|
||||
|
||||
if(data->set.ssl.CRLfile) {
|
||||
/* set the CRL list file */
|
||||
rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred,
|
||||
|
@ -1960,6 +1960,13 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||
data->set.str[STRING_SSL_CAPATH] ? data->set.str[STRING_SSL_CAPATH]:
|
||||
"none");
|
||||
}
|
||||
#ifdef CURL_CA_FALLBACK
|
||||
else if(data->set.ssl.verifypeer) {
|
||||
/* verfying the peer without any CA certificates won't
|
||||
work so use openssl's built in default as fallback */
|
||||
SSL_CTX_set_default_verify_paths(connssl->ctx);
|
||||
}
|
||||
#endif
|
||||
|
||||
if(data->set.str[STRING_SSL_CRLFILE]) {
|
||||
/* tell SSL where to find CRL file that is used to check certificate
|
||||
|
Loading…
Reference in New Issue
Block a user