1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-23 00:28:48 -05:00

CURLcode: add CURLE_SSL_CLIENTCERT

When a TLS server requests a client certificate during handshake and
none can be provided, libcurl now returns this new error code
CURLE_SSL_CLIENTCERT

Only supported by Secure Transport and OpenSSL for TLS 1.3 so far.

Closes #6721
This commit is contained in:
ejanchivdorj 2021-03-10 23:50:13 -08:00 committed by Daniel Stenberg
parent 0acfe05c2e
commit 94241a9e78
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
7 changed files with 26 additions and 4 deletions

View File

@ -262,6 +262,8 @@ be one out of several problems, see the error buffer for details.
.IP "CURLE_QUIC_CONNECT_ERROR (96)"
QUIC connection error. This error may be caused by an SSL library error. QUIC
is the protocol used for HTTP/3 transfers.
.IP "CURLE_SSL_CLIENTCERT (98)"
SSL Client Certificate required.
.IP "CURLE_OBSOLETE*"
These error codes will never be returned. They were used in an old libcurl
version and are currently unused.

View File

@ -126,6 +126,7 @@ CURLE_SSL_CACERT 7.10 7.62.0
CURLE_SSL_CACERT_BADFILE 7.16.0
CURLE_SSL_CERTPROBLEM 7.10
CURLE_SSL_CIPHER 7.10
CURLE_SSL_CLIENTCERT 7.77.0
CURLE_SSL_CONNECT_ERROR 7.1
CURLE_SSL_CRL_BADFILE 7.19.0
CURLE_SSL_ENGINE_INITFAILED 7.12.3

View File

@ -612,6 +612,7 @@ typedef enum {
CURLE_HTTP3, /* 95 - An HTTP/3 layer problem */
CURLE_QUIC_CONNECT_ERROR, /* 96 - QUIC connection error */
CURLE_PROXY, /* 97 - proxy handshake error */
CURLE_SSL_CLIENTCERT, /* 98 - client-side certificate required */
CURL_LAST /* never use! */
} CURLcode;

View File

@ -323,6 +323,9 @@ curl_easy_strerror(CURLcode error)
case CURLE_PROXY:
return "proxy handshake error";
case CURLE_SSL_CLIENTCERT:
return "SSL Client Certificate required";
/* error codes not used by current libcurl */
case CURLE_OBSOLETE20:
case CURLE_OBSOLETE24:

View File

@ -3292,6 +3292,19 @@ static CURLcode ossl_connect_step2(struct Curl_easy *data,
error_buffer */
strcpy(error_buffer, "SSL certificate verification failed");
}
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \
!defined(LIBRESSL_VERSION_NUMBER) && \
!defined(OPENSSL_IS_BORINGSSL))
/* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on
OpenSSL version above v1.1.1, not Libre SSL nor BoringSSL */
else if((lib == ERR_LIB_SSL) &&
(reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)) {
/* If client certificate is required, communicate the
error to client */
result = CURLE_SSL_CLIENTCERT;
ossl_strerror(errdetail, error_buffer, sizeof(error_buffer));
}
#endif
else {
result = CURLE_SSL_CONNECT_ERROR;
ossl_strerror(errdetail, error_buffer, sizeof(error_buffer));

View File

@ -2708,8 +2708,9 @@ sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn,
#if CURL_BUILD_MAC_10_6
/* Only returned when kSSLSessionOptionBreakOnCertRequested is set */
case errSSLClientCertRequested:
failf(data, "The server has requested a client certificate");
break;
failf(data, "Server requested a client certificate during the "
"handshake");
return CURLE_SSL_CLIENTCERT;
#endif
#if CURL_BUILD_MAC_10_9
/* Alias for errSSLLast, end of error range */

View File

@ -130,7 +130,8 @@ e94: An authentication function returned an error
e95: HTTP/3 error
e96: QUIC connection error
e97: proxy handshake error
e98: Unknown error
e98: SSL Client Certificate required
e99: Unknown error
m-1: Please call curl_multi_perform() soon
m0: No error
m1: Invalid multi handle