On Wed, 2011-11-02 at 12:18 +0100, Patrick Ohly wrote: > On Wed, 2011-11-02 at 11:18 +0100, Alain Knaff wrote: > > On 02/11/11 11:14, Patrick Ohly wrote: > > Well in that case, what harm could be done by putting the test for file > > or directory into the app? > > None. As I said, I don't mind adding the code. But before doing it and > asking Ove to create new binaries, I wanted to be sure that it really > has a chance of improving the situation.
Patch attached and committed to for-master/curl-capath branch. Note that there might be a slight regression risk around NSS-enabled libcurl. See patch comments. Ove, can you perhaps help Alain with trying out this change by providing a binary? -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter.
>From f530b48d84602dff5a8008181bbd7c69b058bc11 Mon Sep 17 00:00:00 2001 From: Patrick Ohly <[email protected]> Date: Wed, 2 Nov 2011 12:33:15 +0100 Subject: [PATCH] Curl transport: support SSLServerCertificates=<path> When the setting refers to a directory, then CURLOPT_CAINFO doesn't work (must be a file). Check this and use CURLOPT_CAPATH instead. Caveat: there are some comments in the API documentation about "NSS enabled libcurl" which supports a directory in CURLOPT_CAINFO. Hopefully providing an explicit path in CURLOPT_CAPATH also works in that configuration. --- src/syncevo/CurlTransportAgent.cpp | 12 +++++++++++- 1 files changed, 11 insertions(+), 1 deletions(-) diff --git a/src/syncevo/CurlTransportAgent.cpp b/src/syncevo/CurlTransportAgent.cpp index 857efcd..ee81dcb 100644 --- a/src/syncevo/CurlTransportAgent.cpp +++ b/src/syncevo/CurlTransportAgent.cpp @@ -132,7 +132,17 @@ void CurlTransportAgent::setSSL(const std::string &cacerts, CURLcode code = CURLE_OK; if (!m_cacerts.empty()) { - code = curl_easy_setopt(m_easyHandle, CURLOPT_CAINFO, m_cacerts.c_str()); + if (isDir(m_cacerts)) { + // libcurl + OpenSSL does not work with a directory set in CURLOPT_CAINFO. + // Must set the directory name as CURLOPT_CAPATH. + // + // Hopefully libcurl NSS also finds the directory name + // here ("NSS-powered libcurl provides the option only for + // backward compatibility. "). + code = curl_easy_setopt(m_easyHandle, CURLOPT_CAPATH, m_cacerts.c_str()); + } else { + code = curl_easy_setopt(m_easyHandle, CURLOPT_CAINFO, m_cacerts.c_str()); + } } if (!code) { code = curl_easy_setopt(m_easyHandle, CURLOPT_SSL_VERIFYPEER, (long)verifyServer); -- 1.7.2.5
_______________________________________________ SyncEvolution mailing list [email protected] http://lists.syncevolution.org/listinfo/syncevolution
