-
-
Notifications
You must be signed in to change notification settings - Fork 6.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doh: fix curl handle option inheritance #4579
Conversation
397fbc9
to
d8da46c
Compare
Prior to this change some doh handle options inherited from the user's easy handle were only inherited if they were turned on, not if they were off. [API option] : [Default API setting] CURLOPT_CERTINFO : OFF CURLOPT_NOSIGNAL : OFF CURLOPT_PROXY_SSL_VERIFYHOST : ON <-- affected CURLOPT_PROXY_SSL_VERIFYPEER : ON <-- affected CURLOPT_SSL_FALSESTART : OFF CURLOPT_SSL_VERIFYHOST : ON <-- affected CURLOPT_SSL_VERIFYPEER : ON <-- affected CURLOPT_SSL_VERIFYSTATUS : OFF CURLOPT_VERBOSE : OFF For example if CURLOPT_SSL_VERIFYPEER was turned off by the user then that would not have been inherited by the doh handle and its verify peer setting would have defaulted to on. Prior to this change users were not able to disable SSL verification of the DOH server. Reported-by: 3dyd@users.noreply.github.com Fixes curl#4578 Closes #xxxx
d8da46c
to
1e1be6c
Compare
now that the doh SSL options are always set there may be some that return CURLE_NOT_BUILT_IN
I made some changes to ignore errors setting the options, however I wonder if something like this is sufficient instead: diff --git a/lib/doh.c b/lib/doh.c
index d179578..f4abf82 100644
--- a/lib/doh.c
+++ b/lib/doh.c
@@ -278,14 +278,16 @@ static CURLcode dohprobe(struct Curl_easy *data,
best-guess as to which options are needed for compatibility. #3661 */
if(data->set.ssl.falsestart)
ERROR_CHECK_SETOPT(CURLOPT_SSL_FALSESTART, 1L);
- if(data->set.ssl.primary.verifyhost)
- ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYHOST, 2L);
- if(data->set.proxy_ssl.primary.verifyhost)
- ERROR_CHECK_SETOPT(CURLOPT_PROXY_SSL_VERIFYHOST, 2L);
- if(data->set.ssl.primary.verifypeer)
- ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYPEER, 1L);
- if(data->set.proxy_ssl.primary.verifypeer)
- ERROR_CHECK_SETOPT(CURLOPT_PROXY_SSL_VERIFYPEER, 1L);
+ if(!data->set.ssl.primary.verifyhost)
+ ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYHOST, 0L);
+ if(!data->set.ssl.primary.verifypeer)
+ ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYPEER, 0L);
+#ifndef CURL_DISABLE_PROXY
+ if(!data->set.proxy_ssl.primary.verifyhost)
+ ERROR_CHECK_SETOPT(CURLOPT_PROXY_SSL_VERIFYHOST, 0L);
+ if(!data->set.proxy_ssl.primary.verifypeer)
+ ERROR_CHECK_SETOPT(CURLOPT_PROXY_SSL_VERIFYPEER, 0L);
+#endif
if(data->set.ssl.primary.verifystatus)
ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYSTATUS, 1L);
if(data->set.str[STRING_SSL_CAFILE_ORIG]) { |
@bagder what do you think of --doh-insecure instead mapped to CURLOPT_DOH_SSL_VERIFYPEER CURLOPT_DOH_SSL_VERIFYHOST? |
I think I like that better. Keeps the "insecurties" separate, as I believe most users will have a different view on the DoH server vs the actual content server. |
- New libcurl options CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and CURLOPT_DOH_SSL_VERIFYSTATUS do the same as their respective counterparts. - New curl tool options --doh-insecure and --doh-cert-status do the same as their respective counterparts. Ref: curl#4579 (comment) Fixes curl#4578 Closes #xxxx
- New libcurl options CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and CURLOPT_DOH_SSL_VERIFYSTATUS do the same as their respective counterparts. - New curl tool options --doh-insecure and --doh-cert-status do the same as their respective counterparts. Prior to this change DOH SSL certificate verification settings for verifyhost and verifypeer were supposed to be inherited respectively from CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER, but due to a bug were not. As a result DOH verification remained at the default, ie enabled, and it was not possible to disable. This commit changes behavior so that the DOH verification settings are independent and not inherited. Ref: curl#4579 (comment) Fixes curl#4578 Closes #xxxx
- New libcurl options CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and CURLOPT_DOH_SSL_VERIFYSTATUS do the same as their respective counterparts. - New curl tool options --doh-insecure and --doh-cert-status do the same as their respective counterparts. Prior to this change DOH SSL certificate verification settings for verifyhost and verifypeer were supposed to be inherited respectively from CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER, but due to a bug were not. As a result DOH verification remained at the default, ie enabled, and it was not possible to disable. This commit changes behavior so that the DOH verification settings are independent and not inherited. Ref: curl#4579 (comment) Fixes curl#4578 Closes #xxxx
- New libcurl options CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and CURLOPT_DOH_SSL_VERIFYSTATUS do the same as their respective counterparts. - New curl tool options --doh-insecure and --doh-cert-status do the same as their respective counterparts. Prior to this change DOH SSL certificate verification settings for verifyhost and verifypeer were supposed to be inherited respectively from CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER, but due to a bug were not. As a result DOH verification remained at the default, ie enabled, and it was not possible to disable. This commit changes behavior so that the DOH verification settings are independent and not inherited. Ref: #4579 (comment) Fixes #4578 Closes #6597
Prior to this change some doh handle options inherited from the user's
easy handle were only inherited if they were turned on, not if they were
off.
For example if CURLOPT_SSL_VERIFYPEER was turned off by the user then
that would not have been inherited by the doh handle and its verify peer
setting would have defaulted to on.
Prior to this change users were not able to disable SSL verification of
the DOH server.
Reported-by: 3dyd@users.noreply.github.com
Fixes #4578
Closes #xxxx
fixed by changing the pattern
Before:
After: