ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code

Long live CURLE_PEER_FAILED_VERIFICATION

diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index 7448b4f435a67fd8b690d5e21973577cf770052c..96fdb7f44348e65a526922067ea2d1909825f66c 100644 (file)
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -113,7 +113,7 @@ CURLE_SEND_ERROR                7.10
 CURLE_SEND_FAIL_REWIND          7.12.3
 CURLE_SHARE_IN_USE              7.9.6         7.17.0
 CURLE_SSH                       7.16.1
-CURLE_SSL_CACERT                7.10
+CURLE_SSL_CACERT                7.10          7.62.0
 CURLE_SSL_CACERT_BADFILE        7.16.0
 CURLE_SSL_CERTPROBLEM           7.10
 CURLE_SSL_CIPHER                7.10

diff --git a/include/curl/curl.h b/include/curl/curl.h
index 067b34ded5006cc5f6453f4776e5328f752cc18e..767cb3b170a9f6f4e6023f587e1df7f9b0591152 100644 (file)
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -517,8 +517,7 @@ typedef enum {
   CURLE_UNKNOWN_OPTION,          /* 48 - User specified an unknown option */
   CURLE_TELNET_OPTION_SYNTAX,    /* 49 - Malformed telnet option */
   CURLE_OBSOLETE50,              /* 50 - NOT USED */
-  CURLE_PEER_FAILED_VERIFICATION, /* 51 - peer's certificate or fingerprint
-                                     wasn't verified fine */
+  CURLE_OBSOLETE51,              /* 51 - NOT USED */
   CURLE_GOT_NOTHING,             /* 52 - when this is a specific error */
   CURLE_SSL_ENGINE_NOTFOUND,     /* 53 - SSL crypto engine not found */
   CURLE_SSL_ENGINE_SETFAILED,    /* 54 - can not set SSL crypto engine as
@@ -528,7 +527,8 @@ typedef enum {
   CURLE_OBSOLETE57,              /* 57 - NOT IN USE */
   CURLE_SSL_CERTPROBLEM,         /* 58 - problem with the local certificate */
   CURLE_SSL_CIPHER,              /* 59 - couldn't use specified cipher */
-  CURLE_SSL_CACERT,              /* 60 - problem with the CA cert (path?) */
+  CURLE_PEER_FAILED_VERIFICATION, /* 60 - peer's certificate or fingerprint
+                                     wasn't verified fine */
   CURLE_BAD_CONTENT_ENCODING,    /* 61 - Unrecognized/bad encoding */
   CURLE_LDAP_INVALID_URL,        /* 62 - Invalid LDAP URL */
   CURLE_FILESIZE_EXCEEDED,       /* 63 - Maximum file size exceeded */
@@ -584,6 +584,9 @@ typedef enum {
   CURL_LAST /* never use! */
 } CURLcode;
 
+/* added in 7.62.0 */
+#define CURLE_SSL_CACERT CURLE_PEER_FAILED_VERIFICATION
+
 #ifndef CURL_NO_OLDIES /* define this to test if your app builds with all
                           the obsolete stuff removed! */
 

diff --git a/lib/strerror.c b/lib/strerror.c
index 0295d6c27d8153ed6ed31a67465e0e62849781eb..47ef44a66d9b172c9955d85dd1b699ec41654228 100644 (file)
--- a/lib/strerror.c
+++ b/lib/strerror.c
@@ -191,9 +191,6 @@ curl_easy_strerror(CURLcode error)
   case CURLE_TELNET_OPTION_SYNTAX :
     return "Malformed telnet option";
 
-  case CURLE_PEER_FAILED_VERIFICATION:
-    return "SSL peer certificate or SSH remote key was not OK";
-
   case CURLE_GOT_NOTHING:
     return "Server returned nothing (no headers, no data)";
 
@@ -218,9 +215,8 @@ curl_easy_strerror(CURLcode error)
   case CURLE_SSL_CIPHER:
     return "Couldn't use specified SSL cipher";
 
-  case CURLE_SSL_CACERT:
-    return "Peer certificate cannot be authenticated with given CA "
-      "certificates";
+  case CURLE_PEER_FAILED_VERIFICATION:
+    return "SSL peer certificate or SSH remote key was not OK";
 
   case CURLE_SSL_CACERT_BADFILE:
     return "Problem with the SSL CA cert (path? access rights?)";
@@ -324,6 +320,7 @@ curl_easy_strerror(CURLcode error)
   case CURLE_OBSOLETE44:
   case CURLE_OBSOLETE46:
   case CURLE_OBSOLETE50:
+  case CURLE_OBSOLETE51:
   case CURLE_OBSOLETE57:
   case CURL_LAST:
     break;

diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
index 6ea43542d5372fcf65e1c6fc8dc749413805a257..ae8a5cc1e8964d8c2973996ec5d92e1817c34866 100644 (file)
--- a/lib/vtls/darwinssl.c
+++ b/lib/vtls/darwinssl.c
@@ -2099,7 +2099,7 @@ static int append_cert_to_array(struct Curl_easy *data,
     switch(result) {
       case CURLE_OK:
         break;
-      case CURLE_SSL_CACERT:
+      case CURLE_PEER_FAILED_VERIFICATION:
         return CURLE_SSL_CACERT_BADFILE;
       case CURLE_OUT_OF_MEMORY:
       default:

diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 89f8183970aa233ac3432f8f0b9c5bf88240f7d7..4eb6a779211b9bf784f2ad65139f24eff5d87ac8 100644 (file)
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1522,7 +1522,6 @@ static bool is_nss_error(CURLcode err)
 {
   switch(err) {
   case CURLE_PEER_FAILED_VERIFICATION:
-  case CURLE_SSL_CACERT:
   case CURLE_SSL_CERTPROBLEM:
   case CURLE_SSL_CONNECT_ERROR:
   case CURLE_SSL_ISSUER_ERROR:

diff --git a/tests/data/test1538 b/tests/data/test1538
index b084dac6d6380a39aa74a3dca3d0236cf8b48baa..98d6731e923e49375d9efe56b1216c078f0f6348 100644 (file)
--- a/tests/data/test1538
+++ b/tests/data/test1538
@@ -83,7 +83,7 @@ e47: Number of redirects hit maximum amount
 e48: An unknown option was passed in to libcurl
 e49: Malformed telnet option
 e50: Unknown error
-e51: SSL peer certificate or SSH remote key was not OK
+e51: Unknown error
 e52: Server returned nothing (no headers, no data)
 e53: SSL crypto engine not found
 e54: Can not set SSL crypto engine as default
@@ -92,7 +92,7 @@ e56: Failure when receiving data from the peer
 e57: Unknown error
 e58: Problem with the local SSL certificate
 e59: Couldn't use specified SSL cipher
-e60: Peer certificate cannot be authenticated with given CA certificates
+e60: SSL peer certificate or SSH remote key was not OK
 e61: Unrecognized or bad HTTP Content or Transfer-Encoding
 e62: Invalid LDAP URL
 e63: Maximum file size exceeded

diff --git a/tests/data/test311 b/tests/data/test311
index 0465ed1d33aeb3148a70de1fa756a781a4a0cdb5..87f4dddce5f7cd4a3c3e8035ab06458042273afe 100644 (file)
--- a/tests/data/test311
+++ b/tests/data/test311
@@ -37,7 +37,7 @@ perl -e "print 'Test requires default test server host' if ( '%HOSTIP' ne '127.0
 # Verify data after the test has been "shot"
 <verify>
 <errorcode>
-51
+60
 </errorcode>
 </verify>
 </testcase>

diff --git a/tests/data/test312 b/tests/data/test312
index af4422f43aaaa53bfde37485bcdf2f70e1b32b37..6a79f59a7bc16c10b2e9f1eb1a5caf02ecd25fb3 100644 (file)
--- a/tests/data/test312
+++ b/tests/data/test312
@@ -37,7 +37,7 @@ perl -e "print 'Test requires default test server host' if ( '%HOSTIP' ne '127.0
 # Verify data after the test has been "shot"
 <verify>
 <errorcode>
-51
+60
 </errorcode>
 </verify>
 </testcase>

diff --git a/tests/data/test630 b/tests/data/test630
index bb19590be1176e4ac5b1600497cded0a253e0e1e..ffde8ea54ddbdc77329ed45ed74f2ef4a3ca0983 100644 (file)
--- a/tests/data/test630
+++ b/tests/data/test630
@@ -25,7 +25,7 @@ SFTP incorrect host key
 # Verify data after the test has been "shot"
 <verify>
 <errorcode>
-51
+60
 </errorcode>
 <valgrind>
 disable

diff --git a/tests/data/test631 b/tests/data/test631
index 649fb70ac0f462a6bc66920b5af6d0d24d9cca80..ddb7d280d76df73b2a7cb83e53101d73cc29d0f5 100644 (file)
--- a/tests/data/test631
+++ b/tests/data/test631
@@ -25,7 +25,7 @@ SCP incorrect host key
 # Verify data after the test has been "shot"
 <verify>
 <errorcode>
-51
+60
 </errorcode>
 <valgrind>
 disable