Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: securetransport doesn't work as expected when curl is built with multiple ssl backends #12704

Closed
wants to merge 1 commit into from

Conversation

notjaywu
Copy link
Contributor

This PR is to fix the issue#12663

Given curl is built with multiple SSL backends, CAfile is set incorrectly when SecureTransport is the selected TLS backend.

@jay
Copy link
Member

jay commented Jan 15, 2024

Let's hear from another dev on mac before we do this. Also we have code in tool_operate that exempts Schannel from SSL environment variables. Would it be a good idea to do the same change there?

curl/src/tool_operate.c

Lines 2590 to 2645 in 7161cb1

/* Set the CA cert locations specified in the environment. For Windows if
* no environment-specified filename is found then check for CA bundle
* default filename curl-ca-bundle.crt in the user's PATH.
*
* If Schannel is the selected SSL backend then these locations are
* ignored. We allow setting CA location for schannel only when explicitly
* specified by the user via CURLOPT_CAINFO / --cacert.
*/
if(tls_backend_info->backend != CURLSSLBACKEND_SCHANNEL) {
char *env;
env = curlx_getenv("CURL_CA_BUNDLE");
if(env) {
config->cacert = strdup(env);
if(!config->cacert) {
curl_free(env);
curl_easy_cleanup(curltls);
errorf(global, "out of memory");
return CURLE_OUT_OF_MEMORY;
}
}
else {
env = curlx_getenv("SSL_CERT_DIR");
if(env) {
config->capath = strdup(env);
if(!config->capath) {
curl_free(env);
curl_easy_cleanup(curltls);
errorf(global, "out of memory");
return CURLE_OUT_OF_MEMORY;
}
curl_free(env);
capath_from_env = true;
}
env = curlx_getenv("SSL_CERT_FILE");
if(env) {
config->cacert = strdup(env);
if(!config->cacert) {
curl_free(env);
if(capath_from_env)
free(config->capath);
curl_easy_cleanup(curltls);
errorf(global, "out of memory");
return CURLE_OUT_OF_MEMORY;
}
}
}
if(env)
curl_free(env);
#ifdef _WIN32
else {
result = FindWin32CACert(config, tls_backend_info->backend,
TEXT("curl-ca-bundle.crt"));
}
#endif
}

@nickzman

@jay jay added appleOS specific to an Apple operating system TLS labels Jan 15, 2024
@bagder
Copy link
Member

bagder commented Jan 15, 2024

Let's hear from another dev on mac before we do this

I suspect @notjaywu is about the first person ever to use multissl with Secure Transport...

@bagder bagder closed this in c5801a2 Jan 16, 2024
bagder added a commit that referenced this pull request Jan 16, 2024
Ref: #12704

Co-authored-by: Jay Satiro <raysatiro@yahoo.com>

Closes #12711
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
appleOS specific to an Apple operating system TLS
Development

Successfully merging this pull request may close these issues.

3 participants