- Added --with-ca-path=DIRECTORY configure option to use an openSSL CApath by

default instead of a ca bundle. The configure script will also look for a
  ca path if no ca bundle is found and no option given.

- Fixed detection of previously installed curl-ca-bundle.crt
This commit is contained in:
Michal Marek 2008-03-20 08:09:23 +00:00
parent e9a460411f
commit 86cbb23282
7 changed files with 101 additions and 25 deletions

View File

@ -6,6 +6,13 @@
Changelog
Michal Marek (20 Mar 2008)
- Added --with-ca-path=DIRECTORY configure option to use an openSSL CApath by
default instead of a ca bundle. The configure script will also look for a
ca path if no ca bundle is found and no option given.
- Fixed detection of previously installed curl-ca-bundle.crt
Daniel Fandrich (18 Mar 2008)
- Added test 626 to reproduce an infinite loop when given an invalid
SFTP quote command reported by Vincent Le Normand, and fixed it.

View File

@ -22,6 +22,8 @@ This release includes the following changes:
currently only works in C mode)
o curl_easy_setopt(), curl_easy_getinfo(), curl_share_setopt() and
curl_multi_setopt() uses are now checked to use exactly three arguments
o --with-ca-path=DIR configure option allows to set an openSSL CApath instead
of a default ca bundle.
This release includes the following bugfixes:

View File

@ -2500,21 +2500,60 @@ dnl regarding the paths this will scan:
dnl /etc/ssl/certs/ca-certificates.crt Debian systems
dnl /etc/pki/tls/certs/ca-bundle.crt Redhat and Mandriva
dnl /usr/share/ssl/certs/ca-bundle.crt old(er) Redhat
dnl /etc/ssl/certs/ (ca path) SUSE
AC_DEFUN([CURL_CHECK_CA_BUNDLE], [
AC_MSG_CHECKING([default CA cert bundle])
AC_MSG_CHECKING([default CA cert bundle/path])
AC_ARG_WITH(ca-bundle,
AC_HELP_STRING([--with-ca-bundle=FILE], [File name to use as CA bundle])
AC_HELP_STRING([--without-ca-bundle], [Don't use a default CA bundle]),
[ ca="$withval" ],
[
want_ca="$withval"
if test "x$want_ca" = "xyes"; then
AC_MSG_ERROR([--with-ca-bundle=FILE requires a path to the CA bundle])
fi
],
[ want_ca="unset" ])
AC_ARG_WITH(ca-path,
AC_HELP_STRING([--with-ca-path=DIRECTORY], [Directory to use as CA path])
AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
[
want_capath="$withval"
if test "x$want_capath" = "xyes"; then
AC_MSG_ERROR([--with-ca-path=DIRECTORY requires a path to the CA path directory])
fi
],
[ want_capath="unset"])
if test "x$want_ca" != "xno" -a "x$want_ca" != "xunset" -a \
"x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then
dnl both given
AC_MSG_ERROR([Can't specify both --with-ca-bundle and --with-ca-path.])
elif test "x$want_ca" != "xno" -a "x$want_ca" != "xunset"; then
dnl --with-ca-bundle given
ca="$want_ca"
capath="no"
elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then
dnl --with-ca-path given
if test "x$OPENSSL_ENABLED" != "x1"; then
AC_MSG_ERROR([--with-ca-path only works with openSSL])
fi
capath="$want_capath"
ca="no"
else
dnl neither of --with-ca-* given
dnl first try autodetecting a CA bundle , then a CA path
dnl both autodetections can be skipped by --without-ca-*
ca="no"
capath="no"
if test "x$want_ca" = "xunset"; then
dnl the path we previously would have installed the curl ca bundle
dnl to, and thus we now check for an already existing cert in that place
dnl in case we find no other
if test "x$prefix" != xNONE; then
cac="\${prefix}/share/curl/curl-ca-bundle.crt"
cac="${prefix}/share/curl/curl-ca-bundle.crt"
else
cac="$ac_default_prefix/share/curl/curl-ca-bundle.crt"
fi
@ -2523,18 +2562,35 @@ AC_HELP_STRING([--without-ca-bundle], [Don't use a default CA bundle]),
/etc/pki/tls/certs/ca-bundle.crt \
/usr/share/ssl/certs/ca-bundle.crt \
"$cac"; do
if test -f $a; then
if test -f "$a"; then
ca="$a"
break
fi
done
]
)
fi
if test "x$want_capath" = "xunset" -a "x$ca" = "xno" -a \
"x$OPENSSL_ENABLED" = "x1"; then
for a in /etc/ssl/certs/; do
if test -d "$a" && ls "$a"/[[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]].0 >/dev/null 2>/dev/null; then
capath="$a"
break
fi
done
fi
fi
if test "x$ca" != "xno"; then
CURL_CA_BUNDLE='"'$ca'"'
AC_SUBST(CURL_CA_BUNDLE)
fi
AC_MSG_RESULT([$ca])
elif test "x$capath" != "xno"; then
CURL_CA_PATH="\"$capath\""
AC_SUBST(CURL_CA_PATH)
AC_MSG_RESULT([$capath (capath)])
else
AC_MSG_RESULT([no])
fi
])

View File

@ -1618,6 +1618,7 @@ dnl **********************************************************************
CURL_CHECK_CA_BUNDLE
AM_CONDITIONAL(CABUNDLE, test x$ca != xno)
AM_CONDITIONAL(CAPATH, test x$capath != xno)
dnl **********************************************************************
dnl Check for the presence of IDN libraries and headers
@ -2488,7 +2489,8 @@ AC_MSG_NOTICE([Configured to build curl/libcurl:
Built-in manual: ${curl_manual_msg}
Verbose errors: ${curl_verbose_msg}
SSPI support: ${curl_sspi_msg}
ca cert path: ${ca}
ca cert bundle: ${ca}
ca cert path: ${capath}
LDAP support: ${curl_ldap_msg}
LDAPS support: ${curl_ldaps_msg}
])

View File

@ -113,6 +113,11 @@ if CABUNDLE
else
echo '#undef CURL_CA_BUNDLE /* unknown default path */' >> $@
endif
if CAPATH
echo '#define CURL_CA_PATH @CURL_CA_PATH@' >> $@
else
echo '#undef CURL_CA_PATH /* unknown default path */' >>$@
endif
# this hook is mainly for non-unix systems to build even if configure
# isn't run

View File

@ -745,9 +745,11 @@ void curl_easy_reset(CURL *curl)
*/
data->set.ssl.verifypeer = TRUE;
data->set.ssl.verifyhost = 2;
#ifdef CURL_CA_BUNDLE
/* This is our prefered CA cert bundle since install time */
/* This is our prefered CA cert bundle/path since install time */
#if defined(CURL_CA_BUNDLE)
(void) curl_easy_setopt(curl, CURLOPT_CAINFO, (char *) CURL_CA_BUNDLE);
#elif defined(CURL_CA_PATH)
(void) curl_easy_setopt(curl, CURLOPT_CAPATH, (char *) CURL_CA_PATH);
#endif
data->set.ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth

View File

@ -746,10 +746,12 @@ CURLcode Curl_open(struct SessionHandle **curl)
data->set.ssl.verifypeer = TRUE;
data->set.ssl.verifyhost = 2;
data->set.ssl.sessionid = TRUE; /* session ID caching enabled by default */
#ifdef CURL_CA_BUNDLE
/* This is our preferred CA cert bundle since install time */
/* This is our preferred CA cert bundle/path since install time */
#if defined(CURL_CA_BUNDLE)
res = setstropt(&data->set.str[STRING_SSL_CAFILE],
(char *) CURL_CA_BUNDLE);
#elif defined(CURL_CA_PATH)
res = setstropt(&data->set.str[STRING_SSL_CAPATH], (char *) CURL_CA_PATH);
#endif
}