doh: fix curl handle option inheritance #4579
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jay
force-pushed
the
doh_fix_option_inheritance
branch
from
397fbc9
to
d8da46c
Compare
Prior to this change some doh handle options inherited from the user's easy handle were only inherited if they were turned on, not if they were off. [API option] : [Default API setting] CURLOPT_CERTINFO : OFF CURLOPT_NOSIGNAL : OFF CURLOPT_PROXY_SSL_VERIFYHOST : ON <-- affected CURLOPT_PROXY_SSL_VERIFYPEER : ON <-- affected CURLOPT_SSL_FALSESTART : OFF CURLOPT_SSL_VERIFYHOST : ON <-- affected CURLOPT_SSL_VERIFYPEER : ON <-- affected CURLOPT_SSL_VERIFYSTATUS : OFF CURLOPT_VERBOSE : OFF For example if CURLOPT_SSL_VERIFYPEER was turned off by the user then that would not have been inherited by the doh handle and its verify peer setting would have defaulted to on. Prior to this change users were not able to disable SSL verification of the DOH server. Reported-by: 3dyd@users.noreply.github.com Fixes curl#4578 Closes #xxxx
jay
force-pushed
the
doh_fix_option_inheritance
branch
from
d8da46c
to
1e1be6c
Compare
now that the doh SSL options are always set there may be some that return CURLE_NOT_BUILT_IN
|
I made some changes to ignore errors setting the options, however I wonder if something like this is sufficient instead: diff --git a/lib/doh.c b/lib/doh.c
index d179578..f4abf82 100644
--- a/lib/doh.c
+++ b/lib/doh.c
@@ -278,14 +278,16 @@ static CURLcode dohprobe(struct Curl_easy *data,
best-guess as to which options are needed for compatibility. #3661 */
if(data->set.ssl.falsestart)
ERROR_CHECK_SETOPT(CURLOPT_SSL_FALSESTART, 1L);
- if(data->set.ssl.primary.verifyhost)
- ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYHOST, 2L);
- if(data->set.proxy_ssl.primary.verifyhost)
- ERROR_CHECK_SETOPT(CURLOPT_PROXY_SSL_VERIFYHOST, 2L);
- if(data->set.ssl.primary.verifypeer)
- ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYPEER, 1L);
- if(data->set.proxy_ssl.primary.verifypeer)
- ERROR_CHECK_SETOPT(CURLOPT_PROXY_SSL_VERIFYPEER, 1L);
+ if(!data->set.ssl.primary.verifyhost)
+ ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYHOST, 0L);
+ if(!data->set.ssl.primary.verifypeer)
+ ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYPEER, 0L);
+#ifndef CURL_DISABLE_PROXY
+ if(!data->set.proxy_ssl.primary.verifyhost)
+ ERROR_CHECK_SETOPT(CURLOPT_PROXY_SSL_VERIFYHOST, 0L);
+ if(!data->set.proxy_ssl.primary.verifypeer)
+ ERROR_CHECK_SETOPT(CURLOPT_PROXY_SSL_VERIFYPEER, 0L);
+#endif
if(data->set.ssl.primary.verifystatus)
ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYSTATUS, 1L);
if(data->set.str[STRING_SSL_CAFILE_ORIG]) { |
|
@bagder what do you think of --doh-insecure instead mapped to CURLOPT_DOH_SSL_VERIFYPEER CURLOPT_DOH_SSL_VERIFYHOST? |
I think I like that better. Keeps the "insecurties" separate, as I believe most users will have a different view on the DoH server vs the actual content server. |
jay
added a commit
to jay/curl
that referenced
this pull request
Feb 11, 2021
- New libcurl options CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and CURLOPT_DOH_SSL_VERIFYSTATUS do the same as their respective counterparts. - New curl tool options --doh-insecure and --doh-cert-status do the same as their respective counterparts. Ref: curl#4579 (comment) Fixes curl#4578 Closes #xxxx
jay
added a commit
to jay/curl
that referenced
this pull request
Feb 12, 2021
- New libcurl options CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and CURLOPT_DOH_SSL_VERIFYSTATUS do the same as their respective counterparts. - New curl tool options --doh-insecure and --doh-cert-status do the same as their respective counterparts. Prior to this change DOH SSL certificate verification settings for verifyhost and verifypeer were supposed to be inherited respectively from CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER, but due to a bug were not. As a result DOH verification remained at the default, ie enabled, and it was not possible to disable. This commit changes behavior so that the DOH verification settings are independent and not inherited. Ref: curl#4579 (comment) Fixes curl#4578 Closes #xxxx
jay
added a commit
to jay/curl
that referenced
this pull request
Feb 14, 2021
- New libcurl options CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and CURLOPT_DOH_SSL_VERIFYSTATUS do the same as their respective counterparts. - New curl tool options --doh-insecure and --doh-cert-status do the same as their respective counterparts. Prior to this change DOH SSL certificate verification settings for verifyhost and verifypeer were supposed to be inherited respectively from CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER, but due to a bug were not. As a result DOH verification remained at the default, ie enabled, and it was not possible to disable. This commit changes behavior so that the DOH verification settings are independent and not inherited. Ref: curl#4579 (comment) Fixes curl#4578 Closes #xxxx
jay
added a commit
that referenced
this pull request
Feb 14, 2021
- New libcurl options CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and CURLOPT_DOH_SSL_VERIFYSTATUS do the same as their respective counterparts. - New curl tool options --doh-insecure and --doh-cert-status do the same as their respective counterparts. Prior to this change DOH SSL certificate verification settings for verifyhost and verifypeer were supposed to be inherited respectively from CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER, but due to a bug were not. As a result DOH verification remained at the default, ie enabled, and it was not possible to disable. This commit changes behavior so that the DOH verification settings are independent and not inherited. Ref: #4579 (comment) Fixes #4578 Closes #6597
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Prior to this change some doh handle options inherited from the user's
easy handle were only inherited if they were turned on, not if they were
off.
For example if CURLOPT_SSL_VERIFYPEER was turned off by the user then
that would not have been inherited by the doh handle and its verify peer
setting would have defaulted to on.
Prior to this change users were not able to disable SSL verification of
the DOH server.
Reported-by: 3dyd@users.noreply.github.com
Fixes #4578
Closes #xxxx
fixed by changing the pattern
Before:
After: