New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl_easy_setopt(curl, CURLOPT_CAPATH, path) with mbedtls returns CURLE_NOT_BUILT_IN #1877

Closed
SBKarr opened this Issue Sep 8, 2017 · 4 comments

Comments

Projects
None yet
3 participants
@SBKarr

SBKarr commented Sep 8, 2017

But curl uses mbedtls_x509_crt_parse_path in mbedtls backend, if ssl_capath was configured.

libcurl: 7.55.1 (13 Aug 2017)
mbedtls: 2.6.0
OS: Ubuntu 16.04

  curl version:     7.55.1
  Host setup:       x86_64-pc-linux-gnu
  Install prefix:   
  Compiler:         clang
  SSL support:      enabled (mbedTLS)
  SSH support:      no      (--with-libssh2)
  zlib support:     enabled
  GSS-API support:  no      (--with-gssapi)
  TLS-SRP support:  no      (--enable-tls-srp)
  resolver:         POSIX threaded
  IPv6 support:     enabled
  Unix sockets support: no      (--enable-unix-sockets)
  IDN support:      no      (--with-{libidn2,winidn})
  Build libcurl:    Shared=no, Static=yes
  Built-in manual:  no      (--enable-manual)
  --libcurl option: enabled (--disable-libcurl-option)
  Verbose errors:   no
  SSPI support:     no      (--enable-sspi)
  ca cert bundle:   no
  ca cert path:     no
  ca fallback:      no
  LDAP support:     no      (--enable-ldap / --with-ldap-lib / --with-lber-lib)
  LDAPS support:    no      (--enable-ldaps)
  RTSP support:     no      (--enable-rtsp)
  RTMP support:     no      (--with-librtmp)
  metalink support: no      (--with-libmetalink)
  PSL support:      no      (libpsl not found)
  HTTP2 support:    disabled (--with-nghttp2)
  Protocols:        FILE FTP FTPS HTTP HTTPS SMTP SMTPS

It just works if i define #define have_curlssl_ca_path 1 in mbedtls.h, but i think, it should be tested somehow.

@bagder bagder added the SSL/TLS label Sep 9, 2017

@bagder

This comment has been minimized.

Show comment
Hide comment
@bagder

bagder Sep 9, 2017

Member

If curl_easy_setopt returns that, it is because the libcurl you're using was built totally without SSL support!

See: https://github.com/curl/curl/blob/master/lib/url.c#L2293

Member

bagder commented Sep 9, 2017

If curl_easy_setopt returns that, it is because the libcurl you're using was built totally without SSL support!

See: https://github.com/curl/curl/blob/master/lib/url.c#L2293

@jay

This comment has been minimized.

Show comment
Hide comment
@jay

jay Sep 10, 2017

Member

This report may be legit, the mbedtls function is for ca path but that is disabled for some reason:

curl/lib/vtls/mbedtls.c

Lines 1042 to 1049 in a14f715

const struct Curl_ssl Curl_ssl_mbedtls = {
{ CURLSSLBACKEND_MBEDTLS, "mbedtls" }, /* info */
0, /* have_ca_path */
0, /* have_certinfo */
1, /* have_pinnedpubkey */
1, /* have_ssl_ctx */
0, /* support_https_proxy */

Doc says it's supported for PolarSSL but since contributors made mbedTLS code from that then I'd guess it should be supported for mbedTLS too.

/cc @dscho

Member

jay commented Sep 10, 2017

This report may be legit, the mbedtls function is for ca path but that is disabled for some reason:

curl/lib/vtls/mbedtls.c

Lines 1042 to 1049 in a14f715

const struct Curl_ssl Curl_ssl_mbedtls = {
{ CURLSSLBACKEND_MBEDTLS, "mbedtls" }, /* info */
0, /* have_ca_path */
0, /* have_certinfo */
1, /* have_pinnedpubkey */
1, /* have_ssl_ctx */
0, /* support_https_proxy */

Doc says it's supported for PolarSSL but since contributors made mbedTLS code from that then I'd guess it should be supported for mbedTLS too.

/cc @dscho

@SBKarr

This comment has been minimized.

Show comment
Hide comment
@SBKarr

SBKarr Sep 10, 2017

I usually use ca bundle file with CURLOPT_CAINFO, it's ok for TLS (HTTPS, SMTPS. CURLOPT_SSL_VERIFYPEER, 1L, CURLOPT_SSL_VERIFYHOST, 2L) with same libcurl, that returns CURLE_NOT_BUILT_IN for CURLOPT_CAPATH.

It's also ok, if i build libcurl with #define have_curlssl_ca_path 1 in mbedtls.h 7.55.1.

So, i think it's have_ca_path problem, not USE_SSL problem.

SBKarr commented Sep 10, 2017

I usually use ca bundle file with CURLOPT_CAINFO, it's ok for TLS (HTTPS, SMTPS. CURLOPT_SSL_VERIFYPEER, 1L, CURLOPT_SSL_VERIFYHOST, 2L) with same libcurl, that returns CURLE_NOT_BUILT_IN for CURLOPT_CAPATH.

It's also ok, if i build libcurl with #define have_curlssl_ca_path 1 in mbedtls.h 7.55.1.

So, i think it's have_ca_path problem, not USE_SSL problem.

jay added a commit that referenced this issue Sep 10, 2017

mbedtls: enable CA path processing
CA path processing was implemented when mbedtls.c was added to libcurl
in fe7590f, but it was never enabled.

Bug: #1877
Reported-by: SBKarr@users.noreply.github.com
@jay

This comment has been minimized.

Show comment
Hide comment
@jay

jay Sep 10, 2017

Member

I see. It looks as though it's been like that since it was added. Thanks, landed in 64bb7ae.

Member

jay commented Sep 10, 2017

I see. It looks as though it's been like that since it was added. Thanks, landed in 64bb7ae.

@jay jay closed this Sep 10, 2017

@lock lock bot locked as resolved and limited conversation to collaborators May 6, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.