diff options
| author | Michael Stahl <michael.stahl@allotropia.de> | 2022-08-12 16:43:12 +0200 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2022-08-15 13:16:54 +0200 |
| commit | 2ed2dd065cda11f02da8fe9869e25e5b1e46dfd1 (patch) | |
| tree | 5a1889a3915b249b1143c26da9444d92d57fba37 | |
| parent | connectivity: avoid divide by zero in calculateTimeOuts (diff) | |
| download | core-2ed2dd065cda11f02da8fe9869e25e5b1e46dfd1.tar.gz core-2ed2dd065cda11f02da8fe9869e25e5b1e46dfd1.zip | |
tdf#149921 ucb: webdav-curl: WNT: certificate revocation check
- don't require it to be successful.
Trying to connect to a server with self-signed CA results in:
warn:ucb.ucp.webdav.curl:6796:6568:ucb/source/ucp/webdav-curl/CurlSession.cxx:946:
curl_easy_perform failed: (35) schannel: next InitializeSecurityContext failed:
Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
Apparently schannel wants to check by default (called with
SCH_CRED_REVOCATION_CHECK_CHAIN) that all the certificates aren't
revoked, but the self-signed CA doesn't specify how to check.
Set it to only check revocation when the way to do so actually works,
via CURLSSLOPT_REVOKE_BEST_EFFORT, which sets these flags:
SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_REVOCATION_CHECK_CHAIN
Change-Id: I6d77ca23fe2012d8a5d65000b14775070b5c9a0f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/138204
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit f6a0ca0e92e41ad8fea71acdacdc7ec5e775dc59)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/138276
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
| -rw-r--r-- | ucb/source/ucp/webdav-curl/CurlSession.cxx | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index ef3241f1c3dc..347eb25789e7 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -679,8 +679,17 @@ CurlSession::CurlSession(uno::Reference<uno::XComponentContext> const& xContext, rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_READFUNCTION, &read_callback); assert(rc == CURLE_OK); rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HEADERFUNCTION, &header_callback); - // set this initially, may be overwritten during authentication assert(rc == CURLE_OK); + // tdf#149921 by default, with schannel (WNT) connection fails if revocation + // lists cannot be checked; try to limit the checking to when revocation + // lists can actually be retrieved (usually not the case for self-signed CA) +#if CURL_AT_LEAST_VERSION(7, 70, 0) + rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT); + assert(rc == CURLE_OK); + rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT); + assert(rc == CURLE_OK); +#endif + // set this initially, may be overwritten during authentication rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HTTPAUTH, CURLAUTH_ANY); assert(rc == CURLE_OK); // ANY is always available // always set CURLOPT_PROXY to suppress proxy detection in libcurl |