summaryrefslogtreecommitdiff
path: root/ucb/source/ucp
diff options
context:
space:
mode:
authorMichael Stahl <michael.stahl@allotropia.de>2022-08-12 16:43:12 +0200
committerMichael Stahl <michael.stahl@allotropia.de>2022-08-15 10:34:27 +0200
commitf6a0ca0e92e41ad8fea71acdacdc7ec5e775dc59 (patch)
tree5fde4c2cd9678c07261a50fbb04e79a8824c9053 /ucb/source/ucp
parente83daa9ff1d4d41ef7ac7b13fe7ab1dc0bd82f68 (diff)
tdf#149921 ucb: webdav-curl: WNT: certificate revocation check
- don't require it to be successful. Trying to connect to a server with self-signed CA results in: warn:ucb.ucp.webdav.curl:6796:6568:ucb/source/ucp/webdav-curl/CurlSession.cxx:946: curl_easy_perform failed: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate. Apparently schannel wants to check by default (called with SCH_CRED_REVOCATION_CHECK_CHAIN) that all the certificates aren't revoked, but the self-signed CA doesn't specify how to check. Set it to only check revocation when the way to do so actually works, via CURLSSLOPT_REVOKE_BEST_EFFORT, which sets these flags: SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_REVOCATION_CHECK_CHAIN Change-Id: I6d77ca23fe2012d8a5d65000b14775070b5c9a0f Reviewed-on: https://gerrit.libreoffice.org/c/core/+/138204 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
Diffstat (limited to 'ucb/source/ucp')
-rw-r--r--ucb/source/ucp/webdav-curl/CurlSession.cxx11
1 files changed, 10 insertions, 1 deletions
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index a966e779543c..a7303fb7b3bc 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -678,8 +678,17 @@ CurlSession::CurlSession(uno::Reference<uno::XComponentContext> xContext,
rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_READFUNCTION, &read_callback);
assert(rc == CURLE_OK);
rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HEADERFUNCTION, &header_callback);
- // set this initially, may be overwritten during authentication
assert(rc == CURLE_OK);
+ // tdf#149921 by default, with schannel (WNT) connection fails if revocation
+ // lists cannot be checked; try to limit the checking to when revocation
+ // lists can actually be retrieved (usually not the case for self-signed CA)
+#if CURL_AT_LEAST_VERSION(7, 70, 0)
+ rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
+ assert(rc == CURLE_OK);
+ rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
+ assert(rc == CURLE_OK);
+#endif
+ // set this initially, may be overwritten during authentication
rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HTTPAUTH, CURLAUTH_ANY);
assert(rc == CURLE_OK); // ANY is always available
// always set CURLOPT_PROXY to suppress proxy detection in libcurl