Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

A first proposal patch for using Windows certificate store when compiling with openssl

From: Gilles Vollant via curl-library <curl-library_at_cool.haxx.se>
Date: Sun, 9 Sep 2018 21:28:22 +0200

Starting from the stackoverflow article, I made a patch against
lib/vtls/openssl.c

I worked against commit
https://github.com/curl/curl/commit/6684653b682bae0be75ea62bb473b126923952f1

 

It run well for me

 

Before commiting on git, there is probably two questions :

- Is the #if defined(HAVE_WINDOWS_H) test good to decide include
Wincrypt.h and this code? Or another macro?

- And if both HAVE_WINDOWS_H (or alternate macro) and
CURL_CA_FALLBACK are defined ?

 

Here is the patch

 

 

*** openssl.git Sun Sep 09 21:15:17 2018

--- openssl.gv Sun Sep 09 21:18:03 2018

***************

*** 2184,2189 ****

--- 2184,2195 ----

    return CURLE_OK;

  }

  

+

+ #if defined(HAVE_WINDOWS_H)

+ #include <Wincrypt.h>

+ #pragma comment(lib, "crypt32.lib")

+ #endif

+

  static CURLcode ossl_connect_step1(struct connectdata *conn, int
sockindex)

  {

    CURLcode result = CURLE_OK;

***************

*** 2521,2527 ****

            ssl_cafile ? ssl_cafile : "none",

            ssl_capath ? ssl_capath : "none");

    }

! #ifdef CURL_CA_FALLBACK

    else if(verifypeer) {

      /* verfying the peer without any CA certificates won't

         work so use openssl's built in default as fallback */

--- 2527,2563 ----

            ssl_cafile ? ssl_cafile : "none",

            ssl_capath ? ssl_capath : "none");

    }

!

! #if defined(HAVE_WINDOWS_H) && !defined(CURL_CA_FALLBACK)

! else if (verifypeer) {

! // read
https://stackoverflow.com/questions/9507184/can-openssl-on-windows-use-the-s
ystem-certificate-store/15451831

! //

! if ((!ssl_cafile) && (!ssl_capath)) {

! X509_STORE *store = SSL_CTX_get_cert_store(BACKEND->ctx);

! PCCERT_CONTEXT pContext = NULL;

!

! HCERTSTORE hStore = CertOpenSystemStoreW((HCRYPTPROV_LEGACY)NULL,
L"ROOT");

!

! if (hStore) {

! while (pContext = CertEnumCertificatesInStore(hStore, pContext))

! {

! const unsigned char *encoded_cert = (const unsigned char
*)pContext->pbCertEncoded;

! X509 *x509 = d2i_X509(NULL, &encoded_cert,
pContext->cbCertEncoded);

!

! if (x509)

! {

! X509_STORE_add_cert(store, x509);

! X509_free(x509);

! }

! }

!

! CertFreeCertificateContext(pContext);

! CertCloseStore(hStore, 0);

! }

! }

! }

! #endif

! #if defined(CURL_CA_FALLBACK)

    else if(verifypeer) {

      /* verfying the peer without any CA certificates won't

         work so use openssl's built in default as fallback */

 

 

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-09-09