Check for openssl version before setting cert callback.

Lakshmi Priya Sekar · Lakshmi Priya Sekar · commit 7fb74395611c · 2017-05-08T17:03:41.000-07:00
diff --git a/src/System.Net.Http/src/System/Net/Http/Unix/CurlHandler.SslProvider.cs b/src/System.Net.Http/src/System/Net/Http/Unix/CurlHandler.SslProvider.cs
@@ -48,47 +48,80 @@ internal static void SetSslOptions(EasyRequest easy, ClientCertificateOption cli
                 // Register the callback with libcurl.  We need to register even if there's no user-provided
                 // server callback and even if there are no client certificates, because we support verifying
                 // server certificates against more than those known to OpenSSL.
-                CURLcode answer = easy.SetSslCtxCallback(s_sslCtxCallback, userPointer);
-                switch (answer)
+                if (CurlSslVersionDescription.IndexOf("openssl/1.0", StringComparison.OrdinalIgnoreCase) != -1)
                 {
-                    case CURLcode.CURLE_OK:
-                        // We successfully registered.  If we'll be invoking a user-provided callback to verify the server
-                        // certificate as part of that, disable libcurl's verification of the host name.  The user's callback
-                        // needs to be given the opportunity to examine the cert, and our logic will determine whether
-                        // the host name matches and will inform the callback of that.
-                        if (easy._handler.ServerCertificateValidationCallback != null)
-                        {
-                            easy.SetCurlOption(Interop.Http.CURLoption.CURLOPT_SSL_VERIFYHOST, 0); // don't verify the peer cert's hostname
-                            // We don't change the SSL_VERIFYPEER setting, as setting it to 0 will cause
-                            // SSL and libcurl to ignore the result of the server callback.
-                        }
+                    CURLcode answer = easy.SetSslCtxCallback(s_sslCtxCallback, userPointer);
+                    switch (answer)
+                    {
+                        case CURLcode.CURLE_OK:
+                            // We successfully registered.  If we'll be invoking a user-provided callback to verify the server
+                            // certificate as part of that, disable libcurl's verification of the host name.  The user's callback
+                            // needs to be given the opportunity to examine the cert, and our logic will determine whether
+                            // the host name matches and will inform the callback of that.
+                            if (easy._handler.ServerCertificateValidationCallback != null)
+                            {
+                                easy.SetCurlOption(Interop.Http.CURLoption.CURLOPT_SSL_VERIFYHOST, 0); // don't verify the peer cert's hostname
+                                // We don't change the SSL_VERIFYPEER setting, as setting it to 0 will cause
+                                // SSL and libcurl to ignore the result of the server callback.
+                            }
 
-                        // The allowed SSL protocols will be set in the configuration callback.
-                        break;
+                            // The allowed SSL protocols will be set in the configuration callback.
+                            break;
+
+                        case CURLcode.CURLE_UNKNOWN_OPTION: // Curl 7.38 and prior
+                        case CURLcode.CURLE_NOT_BUILT_IN:   // Curl 7.39 and later
+                            // It's ok if we failed to register the callback if all of the defaults are in play
+                            // with relation to handling of certificates.  But if that's not the case, failing to 
+                            // register the callback will result in those options not being factored in, which is
+                            // a significant enough error that we need to fail.
+                            EventSourceTrace("CURLOPT_SSL_CTX_FUNCTION not supported: {0}", answer, easy: easy);
+                            if (certProvider != null ||
+                                easy._handler.ServerCertificateValidationCallback != null ||
+                                easy._handler.CheckCertificateRevocationList)
+                            {
+                                throw new PlatformNotSupportedException(
+                                    SR.Format(SR.net_http_unix_invalid_certcallback_option, CurlVersionDescription, CurlSslVersionDescription));
+                            }
 
-                    case CURLcode.CURLE_UNKNOWN_OPTION: // Curl 7.38 and prior
-                    case CURLcode.CURLE_NOT_BUILT_IN:   // Curl 7.39 and later
-                        // It's ok if we failed to register the callback if all of the defaults are in play
-                        // with relation to handling of certificates.  But if that's not the case, failing to 
-                        // register the callback will result in those options not being factored in, which is
-                        // a significant enough error that we need to fail.
-                        EventSourceTrace("CURLOPT_SSL_CTX_FUNCTION not supported: {0}", answer, easy: easy);
-                        if (certProvider != null ||
-                            easy._handler.ServerCertificateValidationCallback != null ||
-                            easy._handler.CheckCertificateRevocationList)
-                        {
-                            throw new PlatformNotSupportedException(
-                                SR.Format(SR.net_http_unix_invalid_certcallback_option, CurlVersionDescription, CurlSslVersionDescription));
-                        }
+                            // Since there won't be a callback to configure the allowed SSL protocols, configure them here.
+                            SetSslVersion(easy);
 
-                        // Since there won't be a callback to configure the allowed SSL protocols, configure them here.
-                        SetSslVersion(easy);
+                            break;
 
-                        break;
+                        default:
+                            ThrowIfCURLEError(answer);
+                            break;
+                    }
+                }
+                else
+                {
+                    // For newer versions of openssl throw PNSE, if default not used.
+                    if (certProvider != null)
+                    {
+                        throw new PlatformNotSupportedException(
+                            SR.Format(
+                                SR.net_http_libcurl_clientcerts_notsupported,
+                                CurlVersionDescription, CurlSslVersionDescription));
+                    }
 
-                    default:
-                        ThrowIfCURLEError(answer);
-                        break;
+                    if (easy._handler.ServerCertificateValidationCallback != null)
+                    {
+                        throw new PlatformNotSupportedException(
+                            SR.Format(
+                                SR.net_http_libcurl_callback_notsupported,
+                                CurlVersionDescription, CurlSslVersionDescription));
+                    }
+
+                    if (easy._handler.CheckCertificateRevocationList)
+                    {
+                        throw new PlatformNotSupportedException(
+                            SR.Format(
+                                SR.net_http_libcurl_revocation_notsupported,
+                                CurlVersionDescription, CurlSslVersionDescription));
+                    }
+
+                    // In case of defaults configure the allowed SSL protocols.
+                    SetSslVersion(easy);
                 }
             }
 
