Skip to content

fix: securetransport doesn't work as expected when curl is built with multiple ssl backends#12704

Closed
notjaywu wants to merge 1 commit intocurl:masterfrom
notjaywu:fix-backends-securetransport
Closed

fix: securetransport doesn't work as expected when curl is built with multiple ssl backends#12704
notjaywu wants to merge 1 commit intocurl:masterfrom
notjaywu:fix-backends-securetransport

Conversation

@notjaywu
Copy link
Copy Markdown
Contributor

@notjaywu notjaywu commented Jan 15, 2024

This PR is to fix the issue#12663

Given curl is built with multiple SSL backends, CAfile is set incorrectly when SecureTransport is the selected TLS backend.

@jay
Copy link
Copy Markdown
Member

jay commented Jan 15, 2024
edited
Loading

Let's hear from another dev on mac before we do this. Also we have code in tool_operate that exempts Schannel from SSL environment variables. Would it be a good idea to do the same change there?

curl/src/tool_operate.c

Lines 2590 to 2645 in 7161cb1

/* Set the CA cert locations specified in the environment. For Windows if
* no environment-specified filename is found then check for CA bundle
* default filename curl-ca-bundle.crt in the user's PATH.
*
* If Schannel is the selected SSL backend then these locations are
* ignored. We allow setting CA location for schannel only when explicitly
* specified by the user via CURLOPT_CAINFO / --cacert.
*/
if(tls_backend_info->backend != CURLSSLBACKEND_SCHANNEL) {
char *env;
env = curlx_getenv("CURL_CA_BUNDLE");
if(env) {
config->cacert = strdup(env);
if(!config->cacert) {
curl_free(env);
curl_easy_cleanup(curltls);
errorf(global, "out of memory");
return CURLE_OUT_OF_MEMORY;
}
}
else {
env = curlx_getenv("SSL_CERT_DIR");
if(env) {
config->capath = strdup(env);
if(!config->capath) {
curl_free(env);
curl_easy_cleanup(curltls);
errorf(global, "out of memory");
return CURLE_OUT_OF_MEMORY;
}
curl_free(env);
capath_from_env = true;
}
env = curlx_getenv("SSL_CERT_FILE");
if(env) {
config->cacert = strdup(env);
if(!config->cacert) {
curl_free(env);
if(capath_from_env)
free(config->capath);
curl_easy_cleanup(curltls);
errorf(global, "out of memory");
return CURLE_OUT_OF_MEMORY;
}
}
}
if(env)
curl_free(env);
#ifdef _WIN32
else {
result = FindWin32CACert(config, tls_backend_info->backend,
TEXT("curl-ca-bundle.crt"));
}
#endif
}

@nickzman

@jay jay added appleOS specific to an Apple operating system TLS labels Jan 15, 2024
@bagder
Copy link
Copy Markdown
Member

bagder commented Jan 15, 2024

Let's hear from another dev on mac before we do this

I suspect @notjaywu is about the first person ever to use multissl with Secure Transport...

@bagder bagder closed this in c5801a2 Jan 16, 2024
@bagder bagder mentioned this pull request Jan 16, 2024
Closed
bagder added a commit that referenced this pull request Jan 16, 2024
@bagder
docs: mention env vars not used by schannel
9034a16 
Ref: #12704

Co-authored-by: Jay Satiro <raysatiro@yahoo.com>

Closes #12711
@bagder bagder mentioned this pull request Jan 17, 2024
Closed
@vszakats vszakats mentioned this pull request Sep 10, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bagder bagder bagder approved these changes

Assignees

No one assigned

Labels

appleOS specific to an Apple operating system TLS

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@notjaywu @jay @bagder