mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-03-13 15:37:04 +08:00
Code Issues Packages Projects Releases Wiki Activity

curl: add --ca-native and --proxy-ca-native

Browse Source 
These are two boolean options to ask curl to use the native OS's CA
store when verifying TLS servers. For peers and for proxies
respectively.

They currently only have an effect for curl on Windows when built to use
OpenSSL for TLS.

Closes #11049
This commit is contained in:
Daniel Stenberg 2023-06-03 23:48:37 +02:00
parent c78a185df7
commit 9ad23c38e5
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
8 changed files with 63 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/cmdline-opts/Makefile.inc
View File

@ -30,6 +30,7 @@ DPAGES = \
append.d \
aws-sigv4.d \
basic.d \
ca-native.d \
cacert.d \
capath.d \
cert-status.d \
@ -170,6 +171,7 @@ DPAGES = \
proto.d \
proxy-anyauth.d \
proxy-basic.d \
proxy-ca-native.d \
proxy-cacert.d \
proxy-capath.d \
proxy-cert-type.d \

19
docs/cmdline-opts/ca-native.d Normal file
View File

@ -0,0 +1,19 @@
c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
Long: ca-native
Help: Use CA certificates from the native OS
Protocols: TLS
Category: tls
See-also: cacert capath insecure
Example: --ca-native $URL
Added: 8.2.0
Multi: boolean
---
Tells curl to use the CA store from the native operating system to verify the
peer. By default, curl will otherwise use a CA store provided in a single file
or directory, but when using this option it will interface the operating
system's own vault.
This option only works for curl on Windows when built to use OpenSSL. When
curl on Windows is built to use Schannel, this feature is implied and curl
then only uses the native CA store.

19
docs/cmdline-opts/proxy-ca-native.d Normal file
View File

@ -0,0 +1,19 @@
c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
Long: proxy-ca-native
Help: Use CA certificates from the native OS for proxy
Protocols: TLS
Category: tls
See-also: cacert capath insecure
Example: --ca-native $URL
Added: 8.2.0
Multi: boolean
---
Tells curl to use the CA store from the native operating system to verify the
HTTPS proxy. By default, curl will otherwise use a CA store provided in a
single file or directory, but when using this option it will interface the
operating system's own vault.
This option only works for curl on Windows when built to use OpenSSL. When
curl on Windows is built to use Schannel, this feature is implied and curl
then only uses the native CA store.

2
docs/options-in-versions
View File

@ -16,6 +16,7 @@
--append (-a) 4.8
--aws-sigv4 7.75.0
--basic 7.10.6
--ca-native 8.2.0
--cacert 7.5
--capath 7.9.8
--cert (-E) 5.0
@ -157,6 +158,7 @@
--proxy (-x) 4.0
--proxy-anyauth 7.13.2
--proxy-basic 7.12.0
--proxy-ca-native 8.2.0
--proxy-cacert 7.52.0
--proxy-capath 7.52.0
--proxy-cert 7.52.0

3
src/tool_cfgable.h
View File

@ -259,7 +259,8 @@ struct OperationConfig {
bool ssl_revoke_best_effort; /* ignore SSL revocation offline/missing
revocation list errors */
bool native_ca_store; /* use the native os ca store */
bool native_ca_store; /* use the native OS CA store */
bool proxy_native_ca_store; /* use the native OS CA store for proxy */
bool ssl_auto_client_cert; /* automatically locate and use a client
certificate for authentication (Schannel) */
bool proxy_ssl_auto_client_cert; /* proxy version of ssl_auto_client_cert */

10
src/tool_getparam.c
View File

@ -247,6 +247,8 @@ static const struct LongShort aliases[]= {
{"Ed", "key-type", ARG_STRING},
{"Ee", "pass", ARG_STRING},
{"Ef", "engine", ARG_STRING},
{"EG", "ca-native", ARG_BOOL},
{"EH", "proxy-ca-native", ARG_BOOL},
{"Eg", "capath", ARG_FILENAME},
{"Eh", "pubkey", ARG_STRING},
{"Ei", "hostpubmd5", ARG_STRING},
@ -1723,9 +1725,15 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
cleanarg(clearthis);
GetFileAndPassword(nextarg, &config->cert, &config->key_passwd);
break;
case 'a': /* CA info PEM file */
case 'a': /* --cacert CA info PEM file */
GetStr(&config->cacert, nextarg);
break;
case 'G': /* --ca-native */
config->native_ca_store = toggle;
break;
case 'H': /* --proxy-ca-native */
config->proxy_native_ca_store = toggle;
break;
case 'b': /* cert file type */
GetStr(&config->cert_type, nextarg);
break;

8
src/tool_listhelp.c
View File

@ -51,6 +51,9 @@ const struct helptxt helptext[] = {
{" --basic",
"Use HTTP Basic Authentication",
CURLHELP_AUTH},
{" --ca-native",
"Use CA certificates from the native OS",
CURLHELP_TLS},
{" --cacert <file>",
"CA certificate to verify peer against",
CURLHELP_TLS},
@ -274,7 +277,7 @@ const struct helptxt helptext[] = {
"Use HTTP 1.1",
CURLHELP_HTTP},
{" --http2",
"Use HTTP 2",
"Use HTTP/2",
CURLHELP_HTTP},
{" --http2-prior-knowledge",
"Use HTTP 2 without HTTP/1.1 Upgrade",
@ -474,6 +477,9 @@ const struct helptxt helptext[] = {
{" --proxy-basic",
"Use Basic authentication on the proxy",
CURLHELP_PROXY | CURLHELP_AUTH},
{" --proxy-ca-native",
"Use CA certificates from the native OS for proxy",
CURLHELP_TLS},
{" --proxy-cacert <file>",
"CA certificate to verify peer against for proxy",
CURLHELP_PROXY | CURLHELP_TLS},

4
src/tool_operate.c
View File

@ -1779,7 +1779,9 @@ static CURLcode single_transfer(struct GlobalConfig *global,
(config->proxy_ssl_allow_beast ?
CURLSSLOPT_ALLOW_BEAST : 0) |
(config->proxy_ssl_auto_client_cert ?
CURLSSLOPT_AUTO_CLIENT_CERT : 0);
CURLSSLOPT_AUTO_CLIENT_CERT : 0) |
(config->proxy_native_ca_store ?
CURLSSLOPT_NATIVE_CA : 0);
if(mask)
my_setopt_bitmask(curl, CURLOPT_PROXY_SSL_OPTIONS, mask);