Cris Bailiff's CAPATH support added

This commit is contained in:
Daniel Stenberg 2002-05-28 09:21:29 +00:00
Родитель 98871d1e9e
Коммит 59c11b82d5
5 изменённых файлов: 48 добавлений и 10 удалений

Просмотреть файл

@ -211,7 +211,17 @@ certificate concatenated!
If this option is used several times, the last one will be used.
.IP "--cacert <CA certificate>"
(HTTPS) Tells curl to use the specified certificate file to verify the
peer. The certificate must be in PEM format.
peer. The file may contain multiple CA certificates. The certificate(s) must
be in PEM format.
If this option is used several times, the last one will be used.
.IP "--capath <CA certificate directory>"
(HTTPS) Tells curl to use the specified certificate directory to verify the
peer. The certificates must be in PEM format, and the directory must have been
processed using the c_rehash utility supplied with openssl. Certificate directories
are not supported under Windows (because c_rehash uses symbolink links to
create them). Using --capath can allow curl to make https connections much
more efficiently than using --cacert if the --cacert file contains many CA certificates.
If this option is used several times, the last one will be used.
.IP "-f/--fail"

Просмотреть файл

@ -514,12 +514,20 @@ argument in the progress callback set with \fICURLOPT_PROGRESSFUNCTION\fP.
.B CURLOPT_SSL_VERIFYPEER
Pass a long that is set to a non-zero value to make curl verify the peer's
certificate. The certificate to verify against must be specified with the
CURLOPT_CAINFO option. (Added in 7.4.2)
CURLOPT_CAINFO option (Added in 7.4.2) or a certificate directory must be specified
with the CURLOPT_CAPATH option (Added in 7.9.8).
.TP
.B CURLOPT_CAINFO
Pass a char * to a zero terminated file naming holding the certificate to
verify the peer with. This only makes sense when used in combination with the
CURLOPT_SSL_VERIFYPEER option. (Added in 7.4.2)
Pass a char * to a zero terminated string naming a file holding one or more
certificates to verify the peer with. This only makes sense when used in
combination with the CURLOPT_SSL_VERIFYPEER option. (Added in 7.4.2)
.TP
.B CURLOPT_CAPATH
Pass a char * to a zero terminated string naming a directory holding multiple CA
certificates to verify the peer with. The certificate directory must be prepared using
the openssl c_rehash utility. This only makes sense when used in combination with the
CURLOPT_SSL_VERIFYPEER option. The CAPATH function apparently does not work in Windows
due to some limitation in openssl. (Added in 7.9.8)
.TP
.B CURLOPT_PASSWDFUNCTION
Pass a pointer to a \fIcurl_passwd_callback\fP function that will be called

Просмотреть файл

@ -545,6 +545,10 @@ typedef enum {
/* mark this as start of a cookie session */
CINIT(COOKIESESSION, LONG, 96),
/* The CApath directory used to validate the peer certificate
this option is used only if SSL_VERIFYPEER is true */
CINIT(CAPATH, OBJECTPOINT, 97),
CURLOPT_LASTENTRY /* the last unusued */
} CURLoption;
@ -728,8 +732,8 @@ CURLcode curl_global_init(long flags);
void curl_global_cleanup(void);
/* This is the version number */
#define LIBCURL_VERSION "7.9.7"
#define LIBCURL_VERSION_NUM 0x070907
#define LIBCURL_VERSION "7.9.8-pre1"
#define LIBCURL_VERSION_NUM 0x070908
/* linked-list structure for the CURLOPT_QUOTE option (and other) */
struct curl_slist {

Просмотреть файл

@ -981,7 +981,13 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, ...)
* Set CA info for SSL connection. Specify file name of the CA certificate
*/
data->set.ssl.CAfile = va_arg(param, char *);
data->set.ssl.CApath = NULL; /*This does not work on windows.*/
break;
case CURLOPT_CAPATH:
/*
* Set CA path info for SSL connection. Specify directory name of the CA certificates
* which have been prepared using openssl c_rehash utility.
*/
data->set.ssl.CApath = va_arg(param, char *); /*This does not work on windows.*/
break;
case CURLOPT_TELNETOPTIONS:
/*

Просмотреть файл

@ -345,6 +345,7 @@ static void help(void)
" --pass <pass> Specifies your passphrase for the private key (HTTPS)");
puts(" --engine <eng> Specifies the crypto engine to use (HTTPS)\n"
" --cacert <file> CA certifciate to verify peer against (SSL)\n"
" --capath <directory> CA directory (made using c_rehash) to verify peer against (SSL, NOT Windows)\n"
" --ciphers <list> What SSL ciphers to use (SSL)\n"
" --connect-timeout <seconds> Maximum time allowed for connection\n"
" -f/--fail Fail silently (no output at all) on errors (H)\n"
@ -454,6 +455,7 @@ struct Configurable {
char *cert;
char *cert_type;
char *cacert;
char *capath;
char *key;
char *key_type;
char *key_passwd;
@ -999,6 +1001,7 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
{"Ed","key-type", TRUE},
{"Ee","pass", TRUE},
{"Ef","engine", TRUE},
{"Eg","capath ", TRUE},
{"f", "fail", FALSE},
{"F", "form", TRUE},
{"g", "globoff", FALSE},
@ -1335,6 +1338,10 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
case 'f': /* crypto engine */
GetStr(&config->engine, nextarg);
break;
case 'g': /* CA info PEM file */
/* CA cert directory */
GetStr(&config->capath, nextarg);
break;
default: /* certificate file */
{
char *ptr = strchr(nextarg, ':');
@ -2082,6 +2089,8 @@ void free_config_fields(struct Configurable *config)
curl_formfree(config->httppost);
if(config->cacert)
free(config->cacert);
if(config->capath)
free(config->capath);
if(config->cookiejar)
free(config->cookiejar);
@ -2558,8 +2567,9 @@ operate(struct Configurable *config, int argc, char *argv[])
curl_easy_setopt(curl, CURLOPT_SSLKEYTYPE, config->key_type);
curl_easy_setopt(curl, CURLOPT_SSLKEYPASSWD, config->key_passwd);
if(config->cacert) {
curl_easy_setopt(curl, CURLOPT_CAINFO, config->cacert);
if(config->cacert || config->capath) {
if (config->cacert) curl_easy_setopt(curl, CURLOPT_CAINFO, config->cacert);
if (config->capath) curl_easy_setopt(curl, CURLOPT_CAPATH, config->capath);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2);
}