[darcs-users] Patch to control libcurl SSL certificate validation
Nimrod A. Abing
nimrod.abing at gmail.com
Thu Jan 5 07:42:16 UTC 2006
Hello,
Attached is a patch that will allow a user to control how libcurl
handles SSL certificate validation. Currently, the way libcurl handles
this is dependent on the libcurl library version that you have your
darcs binary compiled against. libcurl Library versions below 7.10
would default to *no* SSL certificate verfication. Versions 7.10 and
above verifies SSL certificates by default.
Here is the patch summary:
* Control darcs SSL verification with an environment variable.
This patch allows for precise control over the level of verification that
libcurl performs when checking a host's SSL certificate. Set the environment
variable DARCS_CURL_SSL_VERIFICATION to one of the following values:
0 = Turn off all certificate verification. Proceed happily even if the
server's certificate fails verification.
1 = Verify certificate authenticity but do not compare the server hostname
with the Common Name or Alt Subject Name fields of the certificate. The
connection will fail only if the certificate is corrupted. Not sure if
this is really useful but libcurl allows you to do this.
2 = (default) Verify certificate authenticity and compare the server hostname
with the Common Name or Alt Subject Name fields of the certificate. The
connection will fail if the certificate is invalid. If the certificate is
valid but the Common Name or Alt Subject Name field does not match the
server's hostname, the connection will still fail.
This patch also adds an error message for libcurl error code 60 and suggests
the use of DARCS_CURL_SSL_VERIFICATION.
I have already tried this against Zooko's repository:
https://yumyum.zooko.com:19144/pub/repos/darcs/unstable
By default, SSL verification is enabled at level 2. If you want to
disable it, set the environment variable DARCS_CURL_SSL_VERIFICATION
to zero.
Ideally this should be an option to get, pull, and other commands that
connect to a remote repository. But I don't know Haskell so there you
go :)
Tested under:
Ubuntu 5.10 with libcurl version 7.14.0 and darcs 1.0.6pre1 sources.
Note, requires the ISO C library function `strtol'. Substitiute `atol'
if your C library does not have this function.
--
_nimrod_a_abing_
"If you can see Chuck Norris, he can see you. If you can't see Chuck
Norris, you may be only seconds away from death." --
http://www.chucknorrisfacts.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DARCS_CURL_SSL_VERIFICATION.dpatch
Type: application/octet-stream
Size: 4002 bytes
Desc: not available
Url : http://lists.osuosl.org/pipermail/darcs-users/attachments/20060105/05bf754b/attachment.obj
More information about the darcs-users
mailing list