curl_easy_setopt(curl, CURLOPT_CAPATH, path) with mbedtls returns CURLE_NOT_BUILT_IN #1877

Closed
SBKarr opened this Issue Sep 8, 2017 · 4 comments

Comments

Projects
None yet
3 participants

SBKarr commented Sep 8, 2017

But curl uses mbedtls_x509_crt_parse_path in mbedtls backend, if ssl_capath was configured.

libcurl: 7.55.1 (13 Aug 2017)
mbedtls: 2.6.0
OS: Ubuntu 16.04

  curl version:     7.55.1
  Host setup:       x86_64-pc-linux-gnu
  Install prefix:   
  Compiler:         clang
  SSL support:      enabled (mbedTLS)
  SSH support:      no      (--with-libssh2)
  zlib support:     enabled
  GSS-API support:  no      (--with-gssapi)
  TLS-SRP support:  no      (--enable-tls-srp)
  resolver:         POSIX threaded
  IPv6 support:     enabled
  Unix sockets support: no      (--enable-unix-sockets)
  IDN support:      no      (--with-{libidn2,winidn})
  Build libcurl:    Shared=no, Static=yes
  Built-in manual:  no      (--enable-manual)
  --libcurl option: enabled (--disable-libcurl-option)
  Verbose errors:   no
  SSPI support:     no      (--enable-sspi)
  ca cert bundle:   no
  ca cert path:     no
  ca fallback:      no
  LDAP support:     no      (--enable-ldap / --with-ldap-lib / --with-lber-lib)
  LDAPS support:    no      (--enable-ldaps)
  RTSP support:     no      (--enable-rtsp)
  RTMP support:     no      (--with-librtmp)
  metalink support: no      (--with-libmetalink)
  PSL support:      no      (libpsl not found)
  HTTP2 support:    disabled (--with-nghttp2)
  Protocols:        FILE FTP FTPS HTTP HTTPS SMTP SMTPS

It just works if i define #define have_curlssl_ca_path 1 in mbedtls.h, but i think, it should be tested somehow.

@bagder bagder added the SSL/TLS label Sep 9, 2017

Owner

bagder commented Sep 9, 2017

If curl_easy_setopt returns that, it is because the libcurl you're using was built totally without SSL support!

See: https://github.com/curl/curl/blob/master/lib/url.c#L2293

Owner

jay commented Sep 10, 2017

This report may be legit, the mbedtls function is for ca path but that is disabled for some reason:

curl/lib/vtls/mbedtls.c

Lines 1042 to 1049 in a14f715

const struct Curl_ssl Curl_ssl_mbedtls = {
{ CURLSSLBACKEND_MBEDTLS, "mbedtls" }, /* info */
0, /* have_ca_path */
0, /* have_certinfo */
1, /* have_pinnedpubkey */
1, /* have_ssl_ctx */
0, /* support_https_proxy */

Doc says it's supported for PolarSSL but since contributors made mbedTLS code from that then I'd guess it should be supported for mbedTLS too.

/cc @dscho

SBKarr commented Sep 10, 2017

I usually use ca bundle file with CURLOPT_CAINFO, it's ok for TLS (HTTPS, SMTPS. CURLOPT_SSL_VERIFYPEER, 1L, CURLOPT_SSL_VERIFYHOST, 2L) with same libcurl, that returns CURLE_NOT_BUILT_IN for CURLOPT_CAPATH.

It's also ok, if i build libcurl with #define have_curlssl_ca_path 1 in mbedtls.h 7.55.1.

So, i think it's have_ca_path problem, not USE_SSL problem.

jay added a commit that referenced this issue Sep 10, 2017

mbedtls: enable CA path processing
CA path processing was implemented when mbedtls.c was added to libcurl
in fe7590f, but it was never enabled.

Bug: #1877
Reported-by: SBKarr@users.noreply.github.com
Owner

jay commented Sep 10, 2017

I see. It looks as though it's been like that since it was added. Thanks, landed in 64bb7ae.

@jay jay closed this Sep 10, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment