curl-library
Re: curl bad verify SSL certificates (fwd)
From: Daniel Stenberg <daniel_at_haxx.se>
Date: Mon, 19 Aug 2002 06:59:35 +0200 (MET DST)
Date: Mon, 19 Aug 2002 06:59:35 +0200 (MET DST)
forwarded to the libcurl mailing list
-- Daniel Stenberg -- curl related mails on curl related mailing lists please ---------- Forwarded message ---------- Date: Sun, 18 Aug 2002 19:01:33 -0400 From: Tom Zerucha <tz_at_execpc.com> To: Daniel Stenberg <daniel_at_haxx.se> Subject: Re: curl bad verify SSL certificates (fwd) On Sat, Aug 17, 2002 at 03:06:30PM +0200, Daniel Stenberg wrote: > On Thu, 15 Aug 2002, Daniel Stenberg wrote: > > Full details are here: > http://sourceforge.net/tracker/?func=detail&aid=595426&group_id=976&atid=100976 > > No, I still cannot see what the problem is or what the solution is supposed > to do. A patch is attached that works on Linux and Mac OS X, but see below. I didn't create a new error, which you might want to do, CURLE_CERT_INVALID or something, and a command line switch to override/ignore a bad cert (with messages about the evils of doing this as it kills any security - if you are using your own CA you can put the CA cert in the certs directory or file with the rest). You must have the certificates from OpenSSL in the default certificate directory. THIS IS NOT DONE BY MOST CURRENT IMPLEMENTATIONS OF THE OPENSSL LIBRARY. The easiest way to verify the certificate directory path is to use the "openssl ca" command. It will reply "Using configuration from [SSLPATH]openssl.cnf" - there should be a [SSLPATH]certs directory with a bunch of .pem files and some hash files (numbers). When installing openssl, you should do "make rehash", then copy the contents of the certs directory into [SSLPATH]certs. THIS IS WHAT IS NOT DONE. [SSLPATH] is /usr/ssl on Suse linux, /usr/local/ssl most other places, /System/Library/OpenSSL on Mac OS X or Darwin, /etc/ssl sometimes. The openssl program knows where it is. Patch: --- curl-7.9.8/lib/ssluse.c 2002-06-10 09:24:15.000000000 -0400 +++ curl-7.9.8-sslfix/lib/ssluse.c 2002-08-18 18:36:29.000000000 -0400 @@ -348,14 +348,21 @@ return(1); } -static -int cert_verify_callback(int ok, X509_STORE_CTX *ctx) +/* Cert validation */ +static int certok; +static int cert_verify_callback(int ok, X509_STORE_CTX *ctx) { - X509 *err_cert; char buf[256]; + int err; + + certok = ok; + err = X509_STORE_CTX_get_error(ctx); + if (ok == 1 && err < 2) + return ok; - err_cert=X509_STORE_CTX_get_current_cert(ctx); - X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256); + ERR_load_crypto_strings(), SSL_load_error_strings(); + fprintf(stderr, "SSL CERTIFICATE STATUS: ok=%d err=%s(%d)\n", + ok, X509_verify_cert_error_string(err), err); return ok; } @@ -715,6 +721,8 @@ return CURLE_OUT_OF_MEMORY; } + SSL_CTX_set_default_verify_paths(conn->ssl.ctx); + if(data->set.cert) { if (!cert_stuff(conn, data->set.cert, @@ -769,6 +777,7 @@ /* pass the raw socket into the SSL layers */ SSL_set_fd(conn->ssl.handle, conn->firstsocket); + certok = 1; do { int what; @@ -779,6 +788,9 @@ err = SSL_connect(conn->ssl.handle); + if( !certok ) + return CURLE_SSL_CONNECT_ERROR; + what = SSL_get_error(conn->ssl.handle, err); FD_ZERO(&writefd); ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390Received on 2002-08-19