Changelog
Daniel S (3 October 2007)
+- I renamed the CURLE_SSL_PEER_CERTIFICATE error code to
+ CURLE_PEER_FAILED_VERIFICATION (standard CURL_NO_OLDIES style), and made
+ this return code get used by the previous SSH MD5 fingerprint check in case
+ it fails.
+
- Based on a patch brought by Johnny Luong, libcurl now offers
CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and the curl tool --hostpubmd5. They both
make the SCP or SFTP connection verify the remote host's md5 checksum of the
.IP 49
Malformed telnet option.
.IP 51
-The remote peer's SSL certificate wasn't ok
+The peer's SSL certificate or SSH MD5 fingerprint was not ok
.IP 52
The server didn't reply anything, which here is considered an error.
.IP 53
the appropriate documentation.
.IP "CURLE_TELNET_OPTION_SYNTAX (49)"
A telnet option string was Illegally formatted.
-.IP "CURLE_SSL_PEER_CERTIFICATE (51)"
-The remote server's SSL certificate was deemed not OK.
+.IP "CURLE_PEER_FAILED_VERIFICATION (51)"
+The remote server's SSL certificate or SSH md5 fingerprint was deemed not OK.
.IP "CURLE_GOT_NOTHING (52)"
Nothing was returned from the server, and under the circumstances, getting
nothing is considered an error.
CURLE_UNKNOWN_TELNET_OPTION, /* 48 - User specified an unknown option */
CURLE_TELNET_OPTION_SYNTAX , /* 49 - Malformed telnet option */
CURLE_OBSOLETE50, /* 50 - NOT USED */
- CURLE_SSL_PEER_CERTIFICATE, /* 51 - peer's certificate wasn't ok */
+ CURLE_PEER_FAILED_VERIFICATION, /* 51 - peer's certificate or fingerprint
+ wasn't verified fine */
CURLE_GOT_NOTHING, /* 52 - when this is a specific error */
CURLE_SSL_ENGINE_NOTFOUND, /* 53 - SSL crypto engine not found */
CURLE_SSL_ENGINE_SETFAILED, /* 54 - can not set SSL crypto engine as
the obsolete stuff removed! */
/* Backwards compatibility with older names */
+
+/* The following were added in 7.17.1 */
/* These are scheduled to disappear by 2009 */
+#define CURLE_SSL_PEER_CERTIFICATE CURLE_PEER_FAILED_VERIFICATION
/* The following were added in 7.17.0 */
+/* These are scheduled to disappear by 2009 */
#define CURLE_OBSOLETE CURLE_OBSOLETE50 /* noone should be using this! */
#define CURLE_BAD_PASSWORD_ENTERED CURLE_OBSOLETE46
#define CURLE_BAD_CALLING_ORDER CURLE_OBSOLETE44
if(!chainp) {
if(data->set.ssl.verifyhost) {
failf(data, "failed to get server cert");
- return CURLE_SSL_PEER_CERTIFICATE;
+ return CURLE_PEER_FAILED_VERIFICATION;
}
infof(data, "\t common name: WARNING couldn't obtain\n");
}
failf(data, "SSL: certificate subject name (%s) does not match "
"target host name '%s'", certbuf, conn->host.dispname);
gnutls_x509_crt_deinit(x509_cert);
- return CURLE_SSL_PEER_CERTIFICATE;
+ return CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\t common name: %s (does not match '%s')\n",
if(clock < time(NULL)) {
if (data->set.ssl.verifypeer) {
failf(data, "server certificate expiration date has passed.");
- return CURLE_SSL_PEER_CERTIFICATE;
+ return CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\t server certificate expiration date FAILED\n");
if(clock > time(NULL)) {
if (data->set.ssl.verifypeer) {
failf(data, "server certificate not activated yet.");
- return CURLE_SSL_PEER_CERTIFICATE;
+ return CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\t server certificate activation date FAILED\n");
case SSL_ERROR_BAD_CERTIFICATE:
case SSL_ERROR_BAD_CERT_SIG:
case SSL_ERROR_NOT_TRUSTED_ROOT:
- return CURLE_SSL_PEER_CERTIFICATE;
+ return CURLE_PEER_FAILED_VERIFICATION;
case SSL_ERROR_BAD_CIPHER_SUITE:
case SSL_ERROR_NO_CIPHERS:
"Remote %s is not equal to %s",
buf, data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]);
state(conn, SSH_SESSION_FREE);
- sshc->actualCode = CURLE_FAILED_INIT;
+ sshc->actualCode = CURLE_PEER_FAILED_VERIFICATION;
break;
}
}
if (!peer_CN) {
failf(data,
"SSL: unable to obtain common name from peer certificate");
- return CURLE_SSL_PEER_CERTIFICATE;
+ return CURLE_PEER_FAILED_VERIFICATION;
}
else if(!cert_hostcheck((const char *)peer_CN, conn->host.name)) {
if(data->set.ssl.verifyhost > 1) {
failf(data, "SSL: certificate subject name '%s' does not match "
"target host name '%s'", peer_CN, conn->host.dispname);
- res = CURLE_SSL_PEER_CERTIFICATE;
+ res = CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\t common name: %s (does not match '%s')\n",
connssl->server_cert = SSL_get_peer_certificate(connssl->handle);
if(!connssl->server_cert) {
failf(data, "SSL: couldn't get peer certificate!");
- return CURLE_SSL_PEER_CERTIFICATE;
+ return CURLE_PEER_FAILED_VERIFICATION;
}
infof (data, "Server certificate:\n");
and we return earlyer if verifypeer is set? */
failf(data, "SSL certificate verify result: %s (%ld)",
X509_verify_cert_error_string(lerr), lerr);
- retcode = CURLE_SSL_PEER_CERTIFICATE;
+ retcode = CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "SSL certificate verify result: %s (%ld),"
case CURLE_TELNET_OPTION_SYNTAX :
return "Malformed telnet option";
- case CURLE_SSL_PEER_CERTIFICATE:
- return "SSL peer certificate was not OK";
+ case CURLE_PEER_FAILED_VERIFICATION:
+ return "SSL peer certificate or SSH md5 fingerprint was not OK";
case CURLE_GOT_NOTHING:
return "Server returned nothing (no headers, no data)";
projects / curl / commitdiff