doh: add options to disable ssl verification

- New libcurl options CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and CURLOPT_DOH_SSL_VERIFYSTATUS do the same as their respective counterparts. - New curl tool options --doh-insecure and --doh-cert-status do the same as their respective counterparts. Ref: curl#4579 (comment) Fixes curl#4578 Closes #xxxx
jay · Feb 11, 2021 · ba2a149 · ba2a149
1 parent 89e572a
commit ba2a149
Show file tree

Hide file tree

Showing 17 changed files with 381 additions and 42 deletions.
diff --git a/docs/cmdline-opts/cert-status.d b/docs/cmdline-opts/cert-status.d
@@ -1,7 +1,7 @@
 Long: cert-status
 Protocols: TLS
 Added: 7.41.0
-Help: Verify the status of the server certificate
+Help: Verify the OCSP staple status of the server cert
 Category: tls
 ---
 Tells curl to verify the status of the server certificate by using the

diff --git a/docs/cmdline-opts/doh-cert-status.d b/docs/cmdline-opts/doh-cert-status.d
@@ -0,0 +1,7 @@
+Long: doh-cert-status
+Help: Verify the OCSP staple status of the DOH server cert
+Protocols: all
+Added: 7.76.0
+Category: dns tls
+---
+Same as --cert-status but used for DOH (DNS-over-HTTPS).
diff --git a/docs/cmdline-opts/doh-insecure.d b/docs/cmdline-opts/doh-insecure.d
@@ -0,0 +1,7 @@
+Long: doh-insecure
+Help: Allow insecure DOH server connections
+Protocols: all
+Added: 7.76.0
+Category: dns tls
+---
+Same as --insecure but used for DOH (DNS-over-HTTPS).
diff --git a/docs/libcurl/opts/CURLOPT_DOH_SSL_VERIFYHOST.3 b/docs/libcurl/opts/CURLOPT_DOH_SSL_VERIFYHOST.3
@@ -0,0 +1,85 @@
+.\" **************************************************************************
+.\" *                                  _   _ ____  _
+.\" *  Project                     ___| | | |  _ \| |
+.\" *                             / __| | | | |_) | |
+.\" *                            | (__| |_| |  _ <| |___
+.\" *                             \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at https://curl.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" **************************************************************************
+.\"
+.TH CURLOPT_DOH_SSL_VERIFYHOST 3 "11 Feb 2021" "libcurl 7.76.0" "curl_easy_setopt options"
+.SH NAME
+CURLOPT_DOH_SSL_VERIFYHOST \- verify the host name in the DOH SSL certificate
+.SH SYNOPSIS
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_DOH_SSL_VERIFYHOST, long verify);
+.SH DESCRIPTION
+Pass a long set to 2L as asking curl to \fIverify\fP the DOH (DNS-over-HTTPS)
+server's certificate name fields against the host name.
+
+This option is the DOH equivalent of \fICURLOPT_SSL_VERIFYHOST(3)\fP and
+affects only DOH requests.
+
+When \fICURLOPT_DOH_SSL_VERIFYHOST(3)\fP is 2, the SSL certificate provided by
+the DOH server must indicate that the server name is the same as the server
+name to which you meant to connect to, or the connection fails.
+
+Curl considers the DOH server the intended one when the Common Name field or a
+Subject Alternate Name field in the certificate matches the host name in the
+DOH URL to which you told Curl to connect.
+
+When the \fIverify\fP value is set to 1L it is treated the same as 2L. However
+for consistency with the other VERIFYHOST options we suggest use 2 and not 1.
+
+When the \fIverify\fP value is set to 0L, the connection succeeds regardless of
+the names used in the certificate. Use that ability with caution!
+
+See also \fICURLOPT_DOH_SSL_VERIFYPEER(3)\fP to verify the digital signature
+of the proxy certificate.  If libcurl is built against NSS and
+\fICURLOPT_DOH_SSL_VERIFYPEER(3)\fP is zero,
+\fICURLOPT_DOH_SSL_VERIFYHOST(3)\fP is also set to zero and cannot be
+overridden.
+.SH DEFAULT
+2
+.SH PROTOCOLS
+DOH
+.SH EXAMPLE
+.nf
+CURL *curl = curl_easy_init();
+if(curl) {
+  curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
+
+  curl_easy_setopt(curl, CURLOPT_DOH_URL, "https://cloudflare-dns.com/dns-query");
+
+  /* Disable host name verification of the DOH server */
+  curl_easy_setopt(curl, CURLOPT_DOH_SSL_VERIFYHOST, 0L);
+
+  curl_easy_perform(curl);
+}
+.fi
+.SH AVAILABILITY
+Added in 7.76.0
+
+If built TLS enabled.
+.SH RETURN VALUE
+Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
+.SH "SEE ALSO"
+.BR CURLOPT_DOH_SSL_VERIFYPEER "(3), "
+.BR CURLOPT_SSL_VERIFYHOST "(3), "
+.BR CURLOPT_SSL_VERIFYPEER "(3), "
+.BR CURLOPT_PROXY_SSL_VERIFYPEER "(3), "
+.BR CURLOPT_PROXY_SSL_VERIFYHOST "(3), "
diff --git a/docs/libcurl/opts/CURLOPT_DOH_SSL_VERIFYPEER.3 b/docs/libcurl/opts/CURLOPT_DOH_SSL_VERIFYPEER.3
@@ -0,0 +1,96 @@
+.\" **************************************************************************
+.\" *                                  _   _ ____  _
+.\" *  Project                     ___| | | |  _ \| |
+.\" *                             / __| | | | |_) | |
+.\" *                            | (__| |_| |  _ <| |___
+.\" *                             \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at https://curl.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" **************************************************************************
+.\"
+.TH CURLOPT_DOH_SSL_VERIFYPEER 3 "11 Feb 2021" "libcurl 7.76.0" "curl_easy_setopt options"
+.SH NAME
+CURLOPT_DOH_SSL_VERIFYPEER \- verify the DOH SSL certificate
+.SH SYNOPSIS
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_DOH_SSL_VERIFYPEER, long verify);
+.SH DESCRIPTION
+Pass a long as parameter set to 1L to enable or 0L to disable.
+
+This option tells curl to verify the authenticity of the DOH (DNS-over-HTTPS)
+server's certificate. A value of 1 means curl verifies; 0 (zero) means it
+doesn't.
+
+This option is the DOH equivalent of \fICURLOPT_SSL_VERIFYPEER(3)\fP and
+affects only DOH requests.
+
+When negotiating a TLS or SSL connection, the server sends a certificate
+indicating its identity. Curl verifies whether the certificate is authentic,
+i.e. that you can trust that the server is who the certificate says it is.
+This trust is based on a chain of digital signatures, rooted in certification
+authority (CA) certificates you supply.  curl uses a default bundle of CA
+certificates (the path for that is determined at build time) and you can
+specify alternate certificates with the \fICURLOPT_CAINFO(3)\fP option
+or the \fICURLOPT_CAPATH(3)\fP option.
+
+When \fICURLOPT_DOH_SSL_VERIFYPEER(3)\fP is enabled, and the verification
+fails to prove that the certificate is authentic, the connection fails.  When
+the option is zero, the peer certificate verification succeeds regardless.
+
+Authenticating the certificate is not enough to be sure about the server. You
+typically also want to ensure that the server is the server you mean to be
+talking to.  Use \fICURLOPT_DOH_SSL_VERIFYHOST(3)\fP for that. The check
+that the host name in the certificate is valid for the host name you're
+connecting to is done independently of the
+\fICURLOPT_DOH_SSL_VERIFYPEER(3)\fP option.
+
+WARNING: disabling verification of the certificate allows bad guys to
+man-in-the-middle the communication without you knowing it. Disabling
+verification makes the communication insecure. Just having encryption on a
+transfer is not enough as you cannot be sure that you are communicating with
+the correct end-point.
+.SH DEFAULT
+1
+.SH PROTOCOLS
+DOH
+.SH EXAMPLE
+.nf
+CURL *curl = curl_easy_init();
+if(curl) {
+  curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
+
+  curl_easy_setopt(curl, CURLOPT_DOH_URL, "https://cloudflare-dns.com/dns-query");
+
+  /* Disable certificate verification of the DOH server */
+  curl_easy_setopt(curl, CURLOPT_DOH_SSL_VERIFYPEER, 0L);
+
+  curl_easy_perform(curl);
+}
+.fi
+.SH AVAILABILITY
+Added in 7.76.0
+
+If built TLS enabled.
+.SH RETURN VALUE
+Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
+.SH "SEE ALSO"
+.BR CURLOPT_DOH_SSL_VERIFYHOST "(3), "
+.BR CURLOPT_SSL_VERIFYHOST "(3), "
+.BR CURLOPT_SSL_VERIFYPEER "(3), "
+.BR CURLOPT_PROXY_SSL_VERIFYPEER "(3), "
+.BR CURLOPT_PROXY_SSL_VERIFYHOST "(3), "
+.BR CURLOPT_CAINFO "(3), "
+.BR CURLOPT_CAPATH "(3), "
diff --git a/docs/libcurl/opts/CURLOPT_DOH_SSL_VERIFYSTATUS.3 b/docs/libcurl/opts/CURLOPT_DOH_SSL_VERIFYSTATUS.3
@@ -0,0 +1,69 @@
+.\" **************************************************************************
+.\" *                                  _   _ ____  _
+.\" *  Project                     ___| | | |  _ \| |
+.\" *                             / __| | | | |_) | |
+.\" *                            | (__| |_| |  _ <| |___
+.\" *                             \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at https://curl.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" **************************************************************************
+.\"
+.TH CURLOPT_DOH_SSL_VERIFYSTATUS 3 "11 Feb 2021" "libcurl 7.76.0" "curl_easy_setopt options"
+.SH NAME
+CURLOPT_DOH_SSL_VERIFYSTATUS \- verify the DOH SSL certificate's status
+.SH SYNOPSIS
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_DOH_SSL_VERIFYSTATUS, long verify);
+.SH DESCRIPTION
+Pass a long as parameter set to 1 to enable or 0 to disable.
+
+This option determines whether libcurl verifies the status of the DOH
+(DNS-over-HTTPS) server cert using the "Certificate Status Request" TLS
+extension (aka. OCSP stapling).
+
+This option is the DOH equivalent of \fICURLOPT_SSL_VERIFYSTATUS(3)\fP and
+affects only DOH requests.
+
+Note that if this option is enabled but the server does not support the TLS
+extension, the verification will fail.
+.SH DEFAULT
+0
+.SH PROTOCOLS
+All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.
+.SH EXAMPLE
+.nf
+CURL *curl = curl_easy_init();
+if(curl) {
+  curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
+
+  curl_easy_setopt(curl, CURLOPT_DOH_URL, "https://cloudflare-dns.com/dns-query");
+
+  /* Ask for OCSP stapling when verifying the DOH server */
+  curl_easy_setopt(curl, CURLOPT_DOH_SSL_VERIFYSTATUS, 1L);
+
+  curl_easy_perform(curl);
+}
+.fi
+.SH AVAILABILITY
+Added in 7.76.0. This option is currently only supported by the OpenSSL, GnuTLS
+and NSS TLS backends.
+.SH RETURN VALUE
+Returns CURLE_OK if OCSP stapling is supported by the SSL backend, otherwise
+returns CURLE_NOT_BUILT_IN.
+.SH "SEE ALSO"
+.BR CURLOPT_DOH_SSL_VERIFYHOST "(3), "
+.BR CURLOPT_DOH_SSL_VERIFYPEER "(3), "
+.BR CURLOPT_SSL_VERIFYSTATUS "(3), "
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
@@ -410,6 +410,9 @@ CURLOPT_DNS_LOCAL_IP6           7.33.0
 CURLOPT_DNS_SERVERS             7.24.0
 CURLOPT_DNS_SHUFFLE_ADDRESSES   7.60.0
 CURLOPT_DNS_USE_GLOBAL_CACHE    7.9.3         7.11.1
+CURLOPT_DOH_SSL_VERIFYHOST      7.76.0
+CURLOPT_DOH_SSL_VERIFYPEER      7.76.0
+CURLOPT_DOH_SSL_VERIFYSTATUS    7.76.0
 CURLOPT_DOH_URL                 7.62.0
 CURLOPT_EGDSOCKET               7.7
 CURLOPT_ENCODING                7.10

diff --git a/docs/options-in-versions b/docs/options-in-versions
@@ -50,6 +50,8 @@
 --dns-ipv4-addr                      7.33.0
 --dns-ipv6-addr                      7.33.0
 --dns-servers                        7.33.0
+--doh-cert-status                    7.76.0
+--doh-insecure                       7.76.0
 --doh-url                            7.62.0
 --dump-header (-D)                   5.7
 --egd-file                           7.7

diff --git a/include/curl/curl.h b/include/curl/curl.h
@@ -2079,6 +2079,15 @@ typedef enum {
   /* Parameters for V4 signature */
   CURLOPT(CURLOPT_AWS_SIGV4, CURLOPTTYPE_STRINGPOINT, 305),
 
+  /* Same as CURLOPT_SSL_VERIFYPEER but for DOH (DNS-over-HTTPS) servers. */
+  CURLOPT(CURLOPT_DOH_SSL_VERIFYPEER, CURLOPTTYPE_LONG, 306),
+
+  /* Same as CURLOPT_SSL_VERIFYHOST but for DOH (DNS-over-HTTPS) servers. */
+  CURLOPT(CURLOPT_DOH_SSL_VERIFYHOST, CURLOPTTYPE_LONG, 307),
+
+  /* Same as CURLOPT_SSL_VERIFYSTATUS but for DOH (DNS-over-HTTPS) servers. */
+  CURLOPT(CURLOPT_DOH_SSL_VERIFYSTATUS, CURLOPTTYPE_LONG, 308),
+
   CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;