configure: --with-ca-fallback: use built-in TLS CA fallback

When trying to verify a peer without having any root CA certificates
set, this makes libcurl use the TLS library's built in default as
fallback.

Closes #569

diff --git a/acinclude.m4 b/acinclude.m4
index ce61ca6b581440767f5e488e21b9c70f0bf4d70d..037c27d7c55174b8cd7760c4e78c25f6fde942e3 100644 (file)
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -2665,6 +2665,24 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
   if test "x$ca" = "xno" && test "x$capath" = "xno"; then
     AC_MSG_RESULT([no])
   fi
+
+  AC_MSG_CHECKING([whether to use builtin CA store of SSL library])
+  AC_ARG_WITH(ca-fallback,
+AC_HELP_STRING([--with-ca-fallback], [Use the built in CA store of the SSL library])
+AC_HELP_STRING([--without-ca-fallback], [Don't use the built in CA store of the SSL library]),
+  [
+    if test "x$with_ca_fallback" != "xyes" -a "x$with_ca_fallback" != "xno"; then
+      AC_MSG_ERROR([--with-ca-fallback only allows yes or no as parameter])
+    fi
+  ],
+  [ with_ca_fallback="no"])
+  AC_MSG_RESULT([$with_ca_fallback])
+  if test "x$with_ca_fallback" = "xyes"; then
+    if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1"; then
+      AC_MSG_ERROR([--with-ca-fallback only works with OpenSSL or GnuTLS])
+    fi
+    AC_DEFINE_UNQUOTED(CURL_CA_FALLBACK, 1, [define "1" to use built in CA store of SSL library ])
+  fi
 ])
 
 

diff --git a/configure.ac b/configure.ac
index 4c9862fc4f439971fc48368934bfdf0b32e9a6d9..3b4139328042a487fddd2d33abb7081b8fc2fec9 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -3895,6 +3895,7 @@ AC_MSG_NOTICE([Configured to build curl/libcurl:
   SSPI support:     ${curl_sspi_msg}
   ca cert bundle:   ${ca}
   ca cert path:     ${capath}
+  ca fallback:      ${with_ca_fallback}
   LDAP support:     ${curl_ldap_msg}
   LDAPS support:    ${curl_ldaps_msg}
   RTSP support:     ${curl_rtsp_msg}

diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index a9702c4a4039a26c08e332786ce04867dc615342..2c7eb17291348c4e0d943416c6c6144b51361ad5 100644 (file)
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -487,6 +487,14 @@ gtls_connect_step1(struct connectdata *conn,
   }
 #endif
 
+#ifdef CURL_CA_FALLBACK
+  /* use system ca certificate store as fallback */
+  if(data->set.ssl.verifypeer &&
+     !(data->set.ssl.CAfile || data->set.ssl.CApath)) {
+    gnutls_certificate_set_x509_system_trust(conn->ssl[sockindex].cred);
+  }
+#endif
+
   if(data->set.ssl.CRLfile) {
     /* set the CRL list file */
     rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred,

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 70cfb84af318d94de53f6c262f9b534a21f47eeb..b36c6a6117b1204f60db5fa87ef207ee6e515fed 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1960,6 +1960,13 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
           data->set.str[STRING_SSL_CAPATH] ? data->set.str[STRING_SSL_CAPATH]:
           "none");
   }
+#ifdef CURL_CA_FALLBACK
+  else if(data->set.ssl.verifypeer) {
+    /* verfying the peer without any CA certificates won't
+       work so use openssl's built in default as fallback */
+    SSL_CTX_set_default_verify_paths(connssl->ctx);
+  }
+#endif
 
   if(data->set.str[STRING_SSL_CRLFILE]) {
     /* tell SSL where to find CRL file that is used to check certificate