[darcs-users] Patch to control libcurl SSL certificate validation

Nimrod A. Abing nimrod.abing at gmail.com
Thu Jan 5 07:42:16 UTC 2006


Hello,

Attached is a patch that will allow a user to control how libcurl
handles SSL certificate validation. Currently, the way libcurl handles
this is dependent on the libcurl library version that you have your
darcs binary compiled against. libcurl Library versions below 7.10
would default to *no* SSL certificate verfication. Versions 7.10 and
above verifies SSL certificates by default.

Here is the patch summary:

  * Control darcs SSL verification with an environment variable.

  This patch allows for precise control over the level of verification that
  libcurl performs when checking a host's SSL certificate. Set the environment
  variable DARCS_CURL_SSL_VERIFICATION to one of the following values:

  0 = Turn off all certificate verification. Proceed happily even if the
      server's certificate fails verification.

  1 = Verify certificate authenticity but do not compare the server hostname
      with the Common Name or Alt Subject Name fields of the certificate. The
      connection will fail only if the certificate is corrupted. Not sure if
      this is really useful but libcurl allows you to do this.

  2 = (default) Verify certificate authenticity and compare the server hostname
      with the Common Name or Alt Subject Name fields of the certificate. The
      connection will fail if the certificate is invalid. If the certificate is
      valid but the Common Name or Alt Subject Name field does not match the
      server's hostname, the connection will still fail.

  This patch also adds an error message for libcurl error code 60 and suggests
  the use of DARCS_CURL_SSL_VERIFICATION.

I have already tried this against Zooko's repository:

https://yumyum.zooko.com:19144/pub/repos/darcs/unstable

By default, SSL verification is enabled at level 2. If you want to
disable it, set the environment variable DARCS_CURL_SSL_VERIFICATION
to zero.

Ideally this should be an option to get, pull, and other commands that
connect to a remote repository. But I don't know Haskell so there you
go :)

Tested under:

Ubuntu 5.10 with libcurl version 7.14.0 and darcs 1.0.6pre1 sources.

Note, requires the ISO C library function `strtol'. Substitiute `atol'
if your C library does not have this function.
--
_nimrod_a_abing_

"If you can see Chuck Norris, he can see you. If you can't see Chuck
Norris, you may be only seconds away from death." --
http://www.chucknorrisfacts.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DARCS_CURL_SSL_VERIFICATION.dpatch
Type: application/octet-stream
Size: 4002 bytes
Desc: not available
Url : http://lists.osuosl.org/pipermail/darcs-users/attachments/20060105/05bf754b/attachment.obj 


More information about the darcs-users mailing list