Implement certificate verification, and many other SSL-related
imrovements; complete details in the PR. PR: kern/175514 Submitted by: Michael Gmelin <freebsd@grem.de> MFC after: 1 week
This commit is contained in:
parent
663dea3d1b
commit
dcd47379ff
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=253680
@ -1,5 +1,6 @@
|
|||||||
/*-
|
/*-
|
||||||
* Copyright (c) 1998-2011 Dag-Erling Smørgrav
|
* Copyright (c) 1998-2011 Dag-Erling Smørgrav
|
||||||
|
* Copyright (c) 2013 Michael Gmelin <freebsd@grem.de>
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* Redistribution and use in source and binary forms, with or without
|
||||||
@ -47,6 +48,10 @@ __FBSDID("$FreeBSD$");
|
|||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
|
#ifdef WITH_SSL
|
||||||
|
#include <openssl/x509v3.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
#include "fetch.h"
|
#include "fetch.h"
|
||||||
#include "common.h"
|
#include "common.h"
|
||||||
|
|
||||||
@ -317,15 +322,488 @@ fetch_connect(const char *host, int port, int af, int verbose)
|
|||||||
return (conn);
|
return (conn);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef WITH_SSL
|
||||||
|
/*
|
||||||
|
* Convert characters A-Z to lowercase (intentionally avoid any locale
|
||||||
|
* specific conversions).
|
||||||
|
*/
|
||||||
|
static char
|
||||||
|
fetch_ssl_tolower(char in)
|
||||||
|
{
|
||||||
|
if (in >= 'A' && in <= 'Z')
|
||||||
|
return (in + 32);
|
||||||
|
else
|
||||||
|
return (in);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* isalpha implementation that intentionally avoids any locale specific
|
||||||
|
* conversions.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
fetch_ssl_isalpha(char in)
|
||||||
|
{
|
||||||
|
return ((in >= 'A' && in <= 'Z') || (in >= 'a' && in <= 'z'));
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check if passed hostnames a and b are equal.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
fetch_ssl_hname_equal(const char *a, size_t alen, const char *b,
|
||||||
|
size_t blen)
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
|
||||||
|
if (alen != blen)
|
||||||
|
return (0);
|
||||||
|
for (i = 0; i < alen; ++i) {
|
||||||
|
if (fetch_ssl_tolower(a[i]) != fetch_ssl_tolower(b[i]))
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
return (1);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check if domain label is traditional, meaning that only A-Z, a-z, 0-9
|
||||||
|
* and '-' (hyphen) are allowed. Hyphens have to be surrounded by alpha-
|
||||||
|
* numeric characters. Double hyphens (like they're found in IDN a-labels
|
||||||
|
* 'xn--') are not allowed. Empty labels are invalid.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
fetch_ssl_is_trad_domain_label(const char *l, size_t len, int wcok)
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
|
||||||
|
if (!len || l[0] == '-' || l[len-1] == '-')
|
||||||
|
return (0);
|
||||||
|
for (i = 0; i < len; ++i) {
|
||||||
|
if (!isdigit(l[i]) &&
|
||||||
|
!fetch_ssl_isalpha(l[i]) &&
|
||||||
|
!(l[i] == '*' && wcok) &&
|
||||||
|
!(l[i] == '-' && l[i - 1] != '-'))
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
return (1);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check if host name consists only of numbers. This might indicate an IP
|
||||||
|
* address, which is not a good idea for CN wildcard comparison.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
fetch_ssl_hname_is_only_numbers(const char *hostname, size_t len)
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
|
||||||
|
for (i = 0; i < len; ++i) {
|
||||||
|
if (!((hostname[i] >= '0' && hostname[i] <= '9') ||
|
||||||
|
hostname[i] == '.'))
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
return (1);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check if the host name h passed matches the pattern passed in m which
|
||||||
|
* is usually part of subjectAltName or CN of a certificate presented to
|
||||||
|
* the client. This includes wildcard matching. The algorithm is based on
|
||||||
|
* RFC6125, sections 6.4.3 and 7.2, which clarifies RFC2818 and RFC3280.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
fetch_ssl_hname_match(const char *h, size_t hlen, const char *m,
|
||||||
|
size_t mlen)
|
||||||
|
{
|
||||||
|
int delta, hdotidx, mdot1idx, wcidx;
|
||||||
|
const char *hdot, *mdot1, *mdot2;
|
||||||
|
const char *wc; /* wildcard */
|
||||||
|
|
||||||
|
if (!(h && *h && m && *m))
|
||||||
|
return (0);
|
||||||
|
if ((wc = strnstr(m, "*", mlen)) == NULL)
|
||||||
|
return (fetch_ssl_hname_equal(h, hlen, m, mlen));
|
||||||
|
wcidx = wc - m;
|
||||||
|
/* hostname should not be just dots and numbers */
|
||||||
|
if (fetch_ssl_hname_is_only_numbers(h, hlen))
|
||||||
|
return (0);
|
||||||
|
/* only one wildcard allowed in pattern */
|
||||||
|
if (strnstr(wc + 1, "*", mlen - wcidx - 1) != NULL)
|
||||||
|
return (0);
|
||||||
|
/*
|
||||||
|
* there must be at least two more domain labels and
|
||||||
|
* wildcard has to be in the leftmost label (RFC6125)
|
||||||
|
*/
|
||||||
|
mdot1 = strnstr(m, ".", mlen);
|
||||||
|
if (mdot1 == NULL || mdot1 < wc || (mlen - (mdot1 - m)) < 4)
|
||||||
|
return (0);
|
||||||
|
mdot1idx = mdot1 - m;
|
||||||
|
mdot2 = strnstr(mdot1 + 1, ".", mlen - mdot1idx - 1);
|
||||||
|
if (mdot2 == NULL || (mlen - (mdot2 - m)) < 2)
|
||||||
|
return (0);
|
||||||
|
/* hostname must contain a dot and not be the 1st char */
|
||||||
|
hdot = strnstr(h, ".", hlen);
|
||||||
|
if (hdot == NULL || hdot == h)
|
||||||
|
return (0);
|
||||||
|
hdotidx = hdot - h;
|
||||||
|
/*
|
||||||
|
* host part of hostname must be at least as long as
|
||||||
|
* pattern it's supposed to match
|
||||||
|
*/
|
||||||
|
if (hdotidx < mdot1idx)
|
||||||
|
return (0);
|
||||||
|
/*
|
||||||
|
* don't allow wildcards in non-traditional domain names
|
||||||
|
* (IDN, A-label, U-label...)
|
||||||
|
*/
|
||||||
|
if (!fetch_ssl_is_trad_domain_label(h, hdotidx, 0) ||
|
||||||
|
!fetch_ssl_is_trad_domain_label(m, mdot1idx, 1))
|
||||||
|
return (0);
|
||||||
|
/* match domain part (part after first dot) */
|
||||||
|
if (!fetch_ssl_hname_equal(hdot, hlen - hdotidx, mdot1,
|
||||||
|
mlen - mdot1idx))
|
||||||
|
return (0);
|
||||||
|
/* match part left of wildcard */
|
||||||
|
if (!fetch_ssl_hname_equal(h, wcidx, m, wcidx))
|
||||||
|
return (0);
|
||||||
|
/* match part right of wildcard */
|
||||||
|
delta = mdot1idx - wcidx - 1;
|
||||||
|
if (!fetch_ssl_hname_equal(hdot - delta, delta,
|
||||||
|
mdot1 - delta, delta))
|
||||||
|
return (0);
|
||||||
|
/* all tests succeded, it's a match */
|
||||||
|
return (1);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Get numeric host address info - returns NULL if host was not an IP
|
||||||
|
* address. The caller is responsible for deallocation using
|
||||||
|
* freeaddrinfo(3).
|
||||||
|
*/
|
||||||
|
static struct addrinfo *
|
||||||
|
fetch_ssl_get_numeric_addrinfo(const char *hostname, size_t len)
|
||||||
|
{
|
||||||
|
struct addrinfo hints, *res;
|
||||||
|
char *host;
|
||||||
|
|
||||||
|
host = (char *)malloc(len + 1);
|
||||||
|
memcpy(host, hostname, len);
|
||||||
|
host[len] = '\0';
|
||||||
|
memset(&hints, 0, sizeof(hints));
|
||||||
|
hints.ai_family = PF_UNSPEC;
|
||||||
|
hints.ai_socktype = SOCK_STREAM;
|
||||||
|
hints.ai_protocol = 0;
|
||||||
|
hints.ai_flags = AI_NUMERICHOST;
|
||||||
|
/* port is not relevant for this purpose */
|
||||||
|
getaddrinfo(host, "443", &hints, &res);
|
||||||
|
free(host);
|
||||||
|
return res;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Compare ip address in addrinfo with address passes.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
fetch_ssl_ipaddr_match_bin(const struct addrinfo *lhost, const char *rhost,
|
||||||
|
size_t rhostlen)
|
||||||
|
{
|
||||||
|
const void *left;
|
||||||
|
|
||||||
|
if (lhost->ai_family == AF_INET && rhostlen == 4) {
|
||||||
|
left = (void *)&((struct sockaddr_in*)(void *)
|
||||||
|
lhost->ai_addr)->sin_addr.s_addr;
|
||||||
|
#ifdef INET6
|
||||||
|
} else if (lhost->ai_family == AF_INET6 && rhostlen == 16) {
|
||||||
|
left = (void *)&((struct sockaddr_in6 *)(void *)
|
||||||
|
lhost->ai_addr)->sin6_addr;
|
||||||
|
#endif
|
||||||
|
} else
|
||||||
|
return (0);
|
||||||
|
return (!memcmp(left, (const void *)rhost, rhostlen) ? 1 : 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Compare ip address in addrinfo with host passed. If host is not an IP
|
||||||
|
* address, comparison will fail.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
fetch_ssl_ipaddr_match(const struct addrinfo *laddr, const char *r,
|
||||||
|
size_t rlen)
|
||||||
|
{
|
||||||
|
struct addrinfo *raddr;
|
||||||
|
int ret;
|
||||||
|
char *rip;
|
||||||
|
|
||||||
|
ret = 0;
|
||||||
|
if ((raddr = fetch_ssl_get_numeric_addrinfo(r, rlen)) == NULL)
|
||||||
|
return 0; /* not a numeric host */
|
||||||
|
|
||||||
|
if (laddr->ai_family == raddr->ai_family) {
|
||||||
|
if (laddr->ai_family == AF_INET) {
|
||||||
|
rip = (char *)&((struct sockaddr_in *)(void *)
|
||||||
|
raddr->ai_addr)->sin_addr.s_addr;
|
||||||
|
ret = fetch_ssl_ipaddr_match_bin(laddr, rip, 4);
|
||||||
|
#ifdef INET6
|
||||||
|
} else if (laddr->ai_family == AF_INET6) {
|
||||||
|
rip = (char *)&((struct sockaddr_in6 *)(void *)
|
||||||
|
raddr->ai_addr)->sin6_addr;
|
||||||
|
ret = fetch_ssl_ipaddr_match_bin(laddr, rip, 16);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
freeaddrinfo(raddr);
|
||||||
|
return (ret);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Verify server certificate by subjectAltName.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
fetch_ssl_verify_altname(STACK_OF(GENERAL_NAME) *altnames,
|
||||||
|
const char *host, struct addrinfo *ip)
|
||||||
|
{
|
||||||
|
const GENERAL_NAME *name;
|
||||||
|
size_t nslen;
|
||||||
|
int i;
|
||||||
|
const char *ns;
|
||||||
|
|
||||||
|
for (i = 0; i < sk_GENERAL_NAME_num(altnames); ++i) {
|
||||||
|
#if OPENSSL_VERSION_NUMBER < 0x10000000L
|
||||||
|
/*
|
||||||
|
* This is a workaround, since the following line causes
|
||||||
|
* alignment issues in clang:
|
||||||
|
* name = sk_GENERAL_NAME_value(altnames, i);
|
||||||
|
* OpenSSL explicitly warns not to use those macros
|
||||||
|
* directly, but there isn't much choice (and there
|
||||||
|
* shouldn't be any ill side effects)
|
||||||
|
*/
|
||||||
|
name = (GENERAL_NAME *)SKM_sk_value(void, altnames, i);
|
||||||
|
#else
|
||||||
|
name = sk_GENERAL_NAME_value(altnames, i);
|
||||||
|
#endif
|
||||||
|
ns = (const char *)ASN1_STRING_data(name->d.ia5);
|
||||||
|
nslen = (size_t)ASN1_STRING_length(name->d.ia5);
|
||||||
|
|
||||||
|
if (name->type == GEN_DNS && ip == NULL &&
|
||||||
|
fetch_ssl_hname_match(host, strlen(host), ns, nslen))
|
||||||
|
return (1);
|
||||||
|
else if (name->type == GEN_IPADD && ip != NULL &&
|
||||||
|
fetch_ssl_ipaddr_match_bin(ip, ns, nslen))
|
||||||
|
return (1);
|
||||||
|
}
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Verify server certificate by CN.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
fetch_ssl_verify_cn(X509_NAME *subject, const char *host,
|
||||||
|
struct addrinfo *ip)
|
||||||
|
{
|
||||||
|
ASN1_STRING *namedata;
|
||||||
|
X509_NAME_ENTRY *nameentry;
|
||||||
|
int cnlen, lastpos, loc, ret;
|
||||||
|
unsigned char *cn;
|
||||||
|
|
||||||
|
ret = 0;
|
||||||
|
lastpos = -1;
|
||||||
|
loc = -1;
|
||||||
|
cn = NULL;
|
||||||
|
/* get most specific CN (last entry in list) and compare */
|
||||||
|
while ((lastpos = X509_NAME_get_index_by_NID(subject,
|
||||||
|
NID_commonName, lastpos)) != -1)
|
||||||
|
loc = lastpos;
|
||||||
|
|
||||||
|
if (loc > -1) {
|
||||||
|
nameentry = X509_NAME_get_entry(subject, loc);
|
||||||
|
namedata = X509_NAME_ENTRY_get_data(nameentry);
|
||||||
|
cnlen = ASN1_STRING_to_UTF8(&cn, namedata);
|
||||||
|
if (ip == NULL &&
|
||||||
|
fetch_ssl_hname_match(host, strlen(host), cn, cnlen))
|
||||||
|
ret = 1;
|
||||||
|
else if (ip != NULL && fetch_ssl_ipaddr_match(ip, cn, cnlen))
|
||||||
|
ret = 1;
|
||||||
|
OPENSSL_free(cn);
|
||||||
|
}
|
||||||
|
return (ret);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Verify that server certificate subjectAltName/CN matches
|
||||||
|
* hostname. First check, if there are alternative subject names. If yes,
|
||||||
|
* those have to match. Only if those don't exist it falls back to
|
||||||
|
* checking the subject's CN.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
fetch_ssl_verify_hname(X509 *cert, const char *host)
|
||||||
|
{
|
||||||
|
struct addrinfo *ip;
|
||||||
|
STACK_OF(GENERAL_NAME) *altnames;
|
||||||
|
X509_NAME *subject;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
ret = 0;
|
||||||
|
ip = fetch_ssl_get_numeric_addrinfo(host, strlen(host));
|
||||||
|
altnames = X509_get_ext_d2i(cert, NID_subject_alt_name,
|
||||||
|
NULL, NULL);
|
||||||
|
|
||||||
|
if (altnames != NULL) {
|
||||||
|
ret = fetch_ssl_verify_altname(altnames, host, ip);
|
||||||
|
} else {
|
||||||
|
subject = X509_get_subject_name(cert);
|
||||||
|
if (subject != NULL)
|
||||||
|
ret = fetch_ssl_verify_cn(subject, host, ip);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ip != NULL)
|
||||||
|
freeaddrinfo(ip);
|
||||||
|
if (altnames != NULL)
|
||||||
|
GENERAL_NAMES_free(altnames);
|
||||||
|
return (ret);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Configure transport security layer based on environment.
|
||||||
|
*/
|
||||||
|
static void
|
||||||
|
fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose)
|
||||||
|
{
|
||||||
|
long ssl_ctx_options;
|
||||||
|
|
||||||
|
ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_TICKET;
|
||||||
|
if (getenv("SSL_ALLOW_SSL2") == NULL)
|
||||||
|
ssl_ctx_options |= SSL_OP_NO_SSLv2;
|
||||||
|
if (getenv("SSL_NO_SSL3") != NULL)
|
||||||
|
ssl_ctx_options |= SSL_OP_NO_SSLv3;
|
||||||
|
if (getenv("SSL_NO_TLS1") != NULL)
|
||||||
|
ssl_ctx_options |= SSL_OP_NO_TLSv1;
|
||||||
|
if (verbose)
|
||||||
|
fetch_info("SSL options: %x", ssl_ctx_options);
|
||||||
|
SSL_CTX_set_options(ctx, ssl_ctx_options);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Configure peer verification based on environment.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
|
||||||
|
{
|
||||||
|
X509_LOOKUP *crl_lookup;
|
||||||
|
X509_STORE *crl_store;
|
||||||
|
const char *ca_cert_file, *ca_cert_path, *crl_file;
|
||||||
|
|
||||||
|
if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
|
||||||
|
ca_cert_file = getenv("SSL_CA_CERT_FILE") != NULL ?
|
||||||
|
getenv("SSL_CA_CERT_FILE") : "/etc/ssl/cert.pem";
|
||||||
|
ca_cert_path = getenv("SSL_CA_CERT_PATH");
|
||||||
|
if (verbose) {
|
||||||
|
fetch_info("Peer verification enabled");
|
||||||
|
if (ca_cert_file != NULL)
|
||||||
|
fetch_info("Using CA cert file: %s",
|
||||||
|
ca_cert_file);
|
||||||
|
if (ca_cert_path != NULL)
|
||||||
|
fetch_info("Using CA cert path: %s",
|
||||||
|
ca_cert_path);
|
||||||
|
}
|
||||||
|
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER,
|
||||||
|
fetch_ssl_cb_verify_crt);
|
||||||
|
SSL_CTX_load_verify_locations(ctx, ca_cert_file,
|
||||||
|
ca_cert_path);
|
||||||
|
if ((crl_file = getenv("SSL_CRL_FILE")) != NULL) {
|
||||||
|
if (verbose)
|
||||||
|
fetch_info("Using CRL file: %s", crl_file);
|
||||||
|
crl_store = SSL_CTX_get_cert_store(ctx);
|
||||||
|
crl_lookup = X509_STORE_add_lookup(crl_store,
|
||||||
|
X509_LOOKUP_file());
|
||||||
|
if (crl_lookup == NULL ||
|
||||||
|
!X509_load_crl_file(crl_lookup, crl_file,
|
||||||
|
X509_FILETYPE_PEM)) {
|
||||||
|
fprintf(stderr,
|
||||||
|
"Could not load CRL file %s\n",
|
||||||
|
crl_file);
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
X509_STORE_set_flags(crl_store,
|
||||||
|
X509_V_FLAG_CRL_CHECK |
|
||||||
|
X509_V_FLAG_CRL_CHECK_ALL);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return (1);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Configure client certificate based on environment.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
fetch_ssl_setup_client_certificate(SSL_CTX *ctx, int verbose)
|
||||||
|
{
|
||||||
|
const char *client_cert_file, *client_key_file;
|
||||||
|
|
||||||
|
if ((client_cert_file = getenv("SSL_CLIENT_CERT_FILE")) != NULL) {
|
||||||
|
client_key_file = getenv("SSL_CLIENT_KEY_FILE") != NULL ?
|
||||||
|
getenv("SSL_CLIENT_KEY_FILE") : client_cert_file;
|
||||||
|
if (verbose) {
|
||||||
|
fetch_info("Using client cert file: %s",
|
||||||
|
client_cert_file);
|
||||||
|
fetch_info("Using client key file: %s",
|
||||||
|
client_key_file);
|
||||||
|
}
|
||||||
|
if (SSL_CTX_use_certificate_chain_file(ctx,
|
||||||
|
client_cert_file) != 1) {
|
||||||
|
fprintf(stderr,
|
||||||
|
"Could not load client certificate %s\n",
|
||||||
|
client_cert_file);
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
if (SSL_CTX_use_PrivateKey_file(ctx, client_key_file,
|
||||||
|
SSL_FILETYPE_PEM) != 1) {
|
||||||
|
fprintf(stderr,
|
||||||
|
"Could not load client key %s\n",
|
||||||
|
client_key_file);
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return (1);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Callback for SSL certificate verification, this is called on server
|
||||||
|
* cert verification. It takes no decision, but informs the user in case
|
||||||
|
* verification failed.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
fetch_ssl_cb_verify_crt(int verified, X509_STORE_CTX *ctx)
|
||||||
|
{
|
||||||
|
X509 *crt;
|
||||||
|
X509_NAME *name;
|
||||||
|
char *str;
|
||||||
|
|
||||||
|
str = NULL;
|
||||||
|
if (!verified) {
|
||||||
|
if ((crt = X509_STORE_CTX_get_current_cert(ctx)) != NULL &&
|
||||||
|
(name = X509_get_subject_name(crt)) != NULL)
|
||||||
|
str = X509_NAME_oneline(name, 0, 0);
|
||||||
|
fprintf(stderr, "Certificate verification failed for %s\n",
|
||||||
|
str != NULL ? str : "no relevant certificate");
|
||||||
|
OPENSSL_free(str);
|
||||||
|
}
|
||||||
|
return (verified);
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Enable SSL on a connection.
|
* Enable SSL on a connection.
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
fetch_ssl(conn_t *conn, int verbose)
|
fetch_ssl(conn_t *conn, const struct url *URL, int verbose)
|
||||||
{
|
{
|
||||||
#ifdef WITH_SSL
|
#ifdef WITH_SSL
|
||||||
int ret, ssl_err;
|
int ret, ssl_err;
|
||||||
|
X509_NAME *name;
|
||||||
|
char *str;
|
||||||
|
|
||||||
/* Init the SSL library and context */
|
/* Init the SSL library and context */
|
||||||
if (!SSL_library_init()){
|
if (!SSL_library_init()){
|
||||||
@ -339,8 +817,14 @@ fetch_ssl(conn_t *conn, int verbose)
|
|||||||
conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth);
|
conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth);
|
||||||
SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY);
|
SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY);
|
||||||
|
|
||||||
|
fetch_ssl_setup_transport_layer(conn->ssl_ctx, verbose);
|
||||||
|
if (!fetch_ssl_setup_peer_verification(conn->ssl_ctx, verbose))
|
||||||
|
return (-1);
|
||||||
|
if (!fetch_ssl_setup_client_certificate(conn->ssl_ctx, verbose))
|
||||||
|
return (-1);
|
||||||
|
|
||||||
conn->ssl = SSL_new(conn->ssl_ctx);
|
conn->ssl = SSL_new(conn->ssl_ctx);
|
||||||
if (conn->ssl == NULL){
|
if (conn->ssl == NULL) {
|
||||||
fprintf(stderr, "SSL context creation failed\n");
|
fprintf(stderr, "SSL context creation failed\n");
|
||||||
return (-1);
|
return (-1);
|
||||||
}
|
}
|
||||||
@ -353,22 +837,35 @@ fetch_ssl(conn_t *conn, int verbose)
|
|||||||
return (-1);
|
return (-1);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
conn->ssl_cert = SSL_get_peer_certificate(conn->ssl);
|
||||||
|
|
||||||
|
if (conn->ssl_cert == NULL) {
|
||||||
|
fprintf(stderr, "No server SSL certificate\n");
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (getenv("SSL_NO_VERIFY_HOSTNAME") == NULL) {
|
||||||
|
if (verbose)
|
||||||
|
fetch_info("Verify hostname");
|
||||||
|
if (!fetch_ssl_verify_hname(conn->ssl_cert, URL->host)) {
|
||||||
|
fprintf(stderr,
|
||||||
|
"SSL certificate subject doesn't match host %s\n",
|
||||||
|
URL->host);
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (verbose) {
|
if (verbose) {
|
||||||
X509_NAME *name;
|
fetch_info("SSL connection established using %s",
|
||||||
char *str;
|
|
||||||
|
|
||||||
fprintf(stderr, "SSL connection established using %s\n",
|
|
||||||
SSL_get_cipher(conn->ssl));
|
SSL_get_cipher(conn->ssl));
|
||||||
conn->ssl_cert = SSL_get_peer_certificate(conn->ssl);
|
|
||||||
name = X509_get_subject_name(conn->ssl_cert);
|
name = X509_get_subject_name(conn->ssl_cert);
|
||||||
str = X509_NAME_oneline(name, 0, 0);
|
str = X509_NAME_oneline(name, 0, 0);
|
||||||
printf("Certificate subject: %s\n", str);
|
fetch_info("Certificate subject: %s", str);
|
||||||
free(str);
|
OPENSSL_free(str);
|
||||||
name = X509_get_issuer_name(conn->ssl_cert);
|
name = X509_get_issuer_name(conn->ssl_cert);
|
||||||
str = X509_NAME_oneline(name, 0, 0);
|
str = X509_NAME_oneline(name, 0, 0);
|
||||||
printf("Certificate issuer: %s\n", str);
|
fetch_info("Certificate issuer: %s", str);
|
||||||
free(str);
|
OPENSSL_free(str);
|
||||||
}
|
}
|
||||||
|
|
||||||
return (0);
|
return (0);
|
||||||
@ -726,6 +1223,22 @@ fetch_close(conn_t *conn)
|
|||||||
|
|
||||||
if (--conn->ref > 0)
|
if (--conn->ref > 0)
|
||||||
return (0);
|
return (0);
|
||||||
|
#ifdef WITH_SSL
|
||||||
|
if (conn->ssl) {
|
||||||
|
SSL_shutdown(conn->ssl);
|
||||||
|
SSL_set_connect_state(conn->ssl);
|
||||||
|
SSL_free(conn->ssl);
|
||||||
|
conn->ssl = NULL;
|
||||||
|
}
|
||||||
|
if (conn->ssl_ctx) {
|
||||||
|
SSL_CTX_free(conn->ssl_ctx);
|
||||||
|
conn->ssl_ctx = NULL;
|
||||||
|
}
|
||||||
|
if (conn->ssl_cert) {
|
||||||
|
X509_free(conn->ssl_cert);
|
||||||
|
conn->ssl_cert = NULL;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
ret = close(conn->sd);
|
ret = close(conn->sd);
|
||||||
free(conn->cache.buf);
|
free(conn->cache.buf);
|
||||||
free(conn->buf);
|
free(conn->buf);
|
||||||
|
@ -87,7 +87,10 @@ int fetch_bind(int, int, const char *);
|
|||||||
conn_t *fetch_connect(const char *, int, int, int);
|
conn_t *fetch_connect(const char *, int, int, int);
|
||||||
conn_t *fetch_reopen(int);
|
conn_t *fetch_reopen(int);
|
||||||
conn_t *fetch_ref(conn_t *);
|
conn_t *fetch_ref(conn_t *);
|
||||||
int fetch_ssl(conn_t *, int);
|
#ifdef WITH_SSL
|
||||||
|
int fetch_ssl_cb_verify_crt(int, X509_STORE_CTX*);
|
||||||
|
#endif
|
||||||
|
int fetch_ssl(conn_t *, const struct url *, int);
|
||||||
ssize_t fetch_read(conn_t *, char *, size_t);
|
ssize_t fetch_read(conn_t *, char *, size_t);
|
||||||
int fetch_getln(conn_t *);
|
int fetch_getln(conn_t *);
|
||||||
ssize_t fetch_write(conn_t *, const char *, size_t);
|
ssize_t fetch_write(conn_t *, const char *, size_t);
|
||||||
|
@ -1,5 +1,6 @@
|
|||||||
.\"-
|
.\"-
|
||||||
.\" Copyright (c) 1998-2011 Dag-Erling Smørgrav
|
.\" Copyright (c) 1998-2011 Dag-Erling Smørgrav
|
||||||
|
.\" Copyright (c) 2013 Michael Gmelin <freebsd@grem.de>
|
||||||
.\" All rights reserved.
|
.\" All rights reserved.
|
||||||
.\"
|
.\"
|
||||||
.\" Redistribution and use in source and binary forms, with or without
|
.\" Redistribution and use in source and binary forms, with or without
|
||||||
@ -25,7 +26,7 @@
|
|||||||
.\"
|
.\"
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.Dd September 27, 2011
|
.Dd January 25, 2013
|
||||||
.Dt FETCH 3
|
.Dt FETCH 3
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -392,6 +393,60 @@ method in a manner consistent with the rest of the
|
|||||||
library,
|
library,
|
||||||
.Fn fetchPutHTTP
|
.Fn fetchPutHTTP
|
||||||
is currently unimplemented.
|
is currently unimplemented.
|
||||||
|
.Sh HTTPS SCHEME
|
||||||
|
Based on HTTP SCHEME.
|
||||||
|
By default the peer is verified using the CA bundle located in
|
||||||
|
.Pa /etc/ssl/cert.pem .
|
||||||
|
The file may contain multiple CA certificates.
|
||||||
|
A common source of a current CA bundle is
|
||||||
|
.Pa \%security/ca_root_nss .
|
||||||
|
.Pp
|
||||||
|
The CA bundle used for peer verification can be changed by setting the
|
||||||
|
environment variables
|
||||||
|
.Ev SSL_CA_CERT_FILE
|
||||||
|
to point to a concatenated bundle of trusted certificates and
|
||||||
|
.Ev SSL_CA_CERT_PATH
|
||||||
|
to point to a directory containing hashes of trusted CAs (see
|
||||||
|
.Xr verify 1 ) .
|
||||||
|
.Pp
|
||||||
|
A certificate revocation list (CRL) can be used by setting the
|
||||||
|
environment variable
|
||||||
|
.Ev SSL_CRL_FILE
|
||||||
|
(see
|
||||||
|
.Xr crl 1 ) .
|
||||||
|
.Pp
|
||||||
|
Peer verification can be disabled by setting the environment variable
|
||||||
|
.Ev SSL_NO_VERIFY_PEER .
|
||||||
|
Note that this also disables CRL checking.
|
||||||
|
.Pp
|
||||||
|
By default the service identity is verified according to the rules
|
||||||
|
detailed in RFC6125 (also known as hostname verification).
|
||||||
|
This feature can be disabled by setting the environment variable
|
||||||
|
.Ev SSL_NO_VERIFY_HOSTNAME .
|
||||||
|
.Pp
|
||||||
|
Client certificate based authentication is supported.
|
||||||
|
The environment variable
|
||||||
|
.Ev SSL_CLIENT_CERT_FILE
|
||||||
|
should be set to point to a file containing key and client certificate
|
||||||
|
to be used in PEM format. In case the key is stored in a separate
|
||||||
|
file, the environment variable
|
||||||
|
.Ev SSL_CLIENT_KEY_FILE
|
||||||
|
can be set to point to the key in PEM format.
|
||||||
|
In case the key uses a password, the user will be prompted on standard
|
||||||
|
input (see
|
||||||
|
.Xr PEM 3 ) .
|
||||||
|
.Pp
|
||||||
|
By default
|
||||||
|
.Nm libfetch
|
||||||
|
allows SSLv3 and TLSv1 when negotiating the connecting with the remote
|
||||||
|
peer.
|
||||||
|
You can change this behavior by setting the environment variable
|
||||||
|
.Ev SSL_ALLOW_SSL2
|
||||||
|
to allow SSLv2 (not recommended) and
|
||||||
|
.Ev SSL_NO_SSL3
|
||||||
|
or
|
||||||
|
.Ev SSL_NO_TLS1
|
||||||
|
to disable the respective methods.
|
||||||
.Sh AUTHENTICATION
|
.Sh AUTHENTICATION
|
||||||
Apart from setting the appropriate environment variables and
|
Apart from setting the appropriate environment variables and
|
||||||
specifying the user name and password in the URL or the
|
specifying the user name and password in the URL or the
|
||||||
@ -579,6 +634,31 @@ which proxies should not be used.
|
|||||||
Same as
|
Same as
|
||||||
.Ev NO_PROXY ,
|
.Ev NO_PROXY ,
|
||||||
for compatibility.
|
for compatibility.
|
||||||
|
.It Ev SSL_ALLOW_SSL2
|
||||||
|
Allow SSL version 2 when negotiating the connection (not recommended).
|
||||||
|
.It Ev SSL_CA_CERT_FILE
|
||||||
|
CA certificate bundle containing trusted CA certificates.
|
||||||
|
Default value:
|
||||||
|
.Pa /etc/ssl/cert.pem .
|
||||||
|
.It Ev SSL_CA_CERT_PATH
|
||||||
|
Path containing trusted CA hashes.
|
||||||
|
.It Ev SSL_CLIENT_CERT_FILE
|
||||||
|
PEM encoded client certificate/key which will be used in
|
||||||
|
client certificate authentication.
|
||||||
|
.It Ev SSL_CLIENT_KEY_FILE
|
||||||
|
PEM encoded client key in case key and client certificate
|
||||||
|
are stored separately.
|
||||||
|
.It Ev SSL_CRL_FILE
|
||||||
|
File containing certificate revocation list.
|
||||||
|
.It Ev SSL_NO_SSL3
|
||||||
|
Don't allow SSL version 3 when negotiating the connection.
|
||||||
|
.It Ev SSL_NO_TLS1
|
||||||
|
Don't allow TLV version 1 when negotiating the connection.
|
||||||
|
.It Ev SSL_NO_VERIFY_HOSTNAME
|
||||||
|
If set, do not verify that the hostname matches the subject of the
|
||||||
|
certificate presented by the server.
|
||||||
|
.It Ev SSL_NO_VERIFY_PEER
|
||||||
|
If set, do not verify the peer certificate against trusted CAs.
|
||||||
.El
|
.El
|
||||||
.Sh EXAMPLES
|
.Sh EXAMPLES
|
||||||
To access a proxy server on
|
To access a proxy server on
|
||||||
@ -610,6 +690,19 @@ as follows:
|
|||||||
.Bd -literal -offset indent
|
.Bd -literal -offset indent
|
||||||
NO_PROXY=localhost,127.0.0.1
|
NO_PROXY=localhost,127.0.0.1
|
||||||
.Ed
|
.Ed
|
||||||
|
.Pp
|
||||||
|
Access HTTPS website without any certificate verification whatsoever:
|
||||||
|
.Bd -literal -offset indent
|
||||||
|
SSL_NO_VERIFY_PEER=1
|
||||||
|
SSL_NO_VERIFY_HOSTNAME=1
|
||||||
|
.Ed
|
||||||
|
.Pp
|
||||||
|
Access HTTPS website using client certificate based authentication
|
||||||
|
and a private CA:
|
||||||
|
.Bd -literal -offset indent
|
||||||
|
SSL_CLIENT_CERT_FILE=/path/to/client.pem
|
||||||
|
SSL_CA_CERT_FILE=/path/to/myca.pem
|
||||||
|
.Ed
|
||||||
.Sh SEE ALSO
|
.Sh SEE ALSO
|
||||||
.Xr fetch 1 ,
|
.Xr fetch 1 ,
|
||||||
.Xr ftpio 3 ,
|
.Xr ftpio 3 ,
|
||||||
@ -678,7 +771,8 @@ with numerous suggestions and contributions from
|
|||||||
.An Hajimu Umemoto Aq ume@FreeBSD.org ,
|
.An Hajimu Umemoto Aq ume@FreeBSD.org ,
|
||||||
.An Henry Whincup Aq henry@techiebod.com ,
|
.An Henry Whincup Aq henry@techiebod.com ,
|
||||||
.An Jukka A. Ukkonen Aq jau@iki.fi ,
|
.An Jukka A. Ukkonen Aq jau@iki.fi ,
|
||||||
.An Jean-Fran\(,cois Dockes Aq jf@dockes.org
|
.An Jean-Fran\(,cois Dockes Aq jf@dockes.org ,
|
||||||
|
.An Michael Gmelin Aq freebsd@grem.de
|
||||||
and others.
|
and others.
|
||||||
It replaces the older
|
It replaces the older
|
||||||
.Nm ftpio
|
.Nm ftpio
|
||||||
@ -688,7 +782,9 @@ and
|
|||||||
.An Jordan K. Hubbard Aq jkh@FreeBSD.org .
|
.An Jordan K. Hubbard Aq jkh@FreeBSD.org .
|
||||||
.Pp
|
.Pp
|
||||||
This manual page was written by
|
This manual page was written by
|
||||||
.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org .
|
.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org
|
||||||
|
and
|
||||||
|
.An Michael Gmelin Aq freebsd@grem.de .
|
||||||
.Sh BUGS
|
.Sh BUGS
|
||||||
Some parts of the library are not yet implemented.
|
Some parts of the library are not yet implemented.
|
||||||
The most notable
|
The most notable
|
||||||
@ -717,6 +813,10 @@ implemented, superfluous at this site" in an FTP context and
|
|||||||
.Fn fetchStatFTP
|
.Fn fetchStatFTP
|
||||||
does not check that the result of an MDTM command is a valid date.
|
does not check that the result of an MDTM command is a valid date.
|
||||||
.Pp
|
.Pp
|
||||||
|
In case password protected keys are used for client certificate based
|
||||||
|
authentication the user is prompted for the password on each and every
|
||||||
|
fetch operation.
|
||||||
|
.Pp
|
||||||
The man page is incomplete, poorly written and produces badly
|
The man page is incomplete, poorly written and produces badly
|
||||||
formatted text.
|
formatted text.
|
||||||
.Pp
|
.Pp
|
||||||
|
@ -1408,7 +1408,7 @@ http_connect(struct url *URL, struct url *purl, const char *flags)
|
|||||||
http_get_reply(conn);
|
http_get_reply(conn);
|
||||||
}
|
}
|
||||||
if (strcasecmp(URL->scheme, SCHEME_HTTPS) == 0 &&
|
if (strcasecmp(URL->scheme, SCHEME_HTTPS) == 0 &&
|
||||||
fetch_ssl(conn, verbose) == -1) {
|
fetch_ssl(conn, URL, verbose) == -1) {
|
||||||
fetch_close(conn);
|
fetch_close(conn);
|
||||||
/* grrr */
|
/* grrr */
|
||||||
errno = EAUTH;
|
errno = EAUTH;
|
||||||
|
@ -38,22 +38,51 @@
|
|||||||
.Sh SYNOPSIS
|
.Sh SYNOPSIS
|
||||||
.Nm
|
.Nm
|
||||||
.Op Fl 146AadFlMmnPpqRrsUv
|
.Op Fl 146AadFlMmnPpqRrsUv
|
||||||
|
.Op Fl -allow-sslv2
|
||||||
.Op Fl B Ar bytes
|
.Op Fl B Ar bytes
|
||||||
|
.Op Fl -bind-address= Ns Ar host
|
||||||
|
.Op Fl -ca-cert= Ns Ar file
|
||||||
|
.Op Fl -ca-path= Ns Ar dir
|
||||||
|
.Op Fl -cert= Ns Ar file
|
||||||
|
.Op Fl -crl= Ns Ar file
|
||||||
.Op Fl i Ar file
|
.Op Fl i Ar file
|
||||||
|
.Op Fl -key= Ns Ar file
|
||||||
.Op Fl N Ar file
|
.Op Fl N Ar file
|
||||||
|
.Op Fl -no-passive
|
||||||
|
.Op Fl -no-proxy= Ns Ar list
|
||||||
|
.Op Fl -no-sslv3
|
||||||
|
.Op Fl -no-tlsv1
|
||||||
|
.Op Fl -no-verify-hostname
|
||||||
|
.Op Fl -no-verify-peer
|
||||||
.Op Fl o Ar file
|
.Op Fl o Ar file
|
||||||
|
.Op Fl -referer= Ns Ar URL
|
||||||
.Op Fl S Ar bytes
|
.Op Fl S Ar bytes
|
||||||
.Op Fl T Ar seconds
|
.Op Fl T Ar seconds
|
||||||
|
.Op Fl -user-agent= Ns Ar agent-string
|
||||||
.Op Fl w Ar seconds
|
.Op Fl w Ar seconds
|
||||||
.Ar URL ...
|
.Ar URL ...
|
||||||
.Nm
|
.Nm
|
||||||
.Op Fl 146AadFlMmnPpqRrsUv
|
.Op Fl 146AadFlMmnPpqRrsUv
|
||||||
.Op Fl B Ar bytes
|
.Op Fl B Ar bytes
|
||||||
|
.Op Fl -bind-address= Ns Ar host
|
||||||
|
.Op Fl -ca-cert= Ns Ar file
|
||||||
|
.Op Fl -ca-path= Ns Ar dir
|
||||||
|
.Op Fl -cert= Ns Ar file
|
||||||
|
.Op Fl -crl= Ns Ar file
|
||||||
.Op Fl i Ar file
|
.Op Fl i Ar file
|
||||||
|
.Op Fl -key= Ns Ar file
|
||||||
.Op Fl N Ar file
|
.Op Fl N Ar file
|
||||||
|
.Op Fl -no-passive
|
||||||
|
.Op Fl -no-proxy= Ns Ar list
|
||||||
|
.Op Fl -no-sslv3
|
||||||
|
.Op Fl -no-tlsv1
|
||||||
|
.Op Fl -no-verify-hostname
|
||||||
|
.Op Fl -no-verify-peer
|
||||||
.Op Fl o Ar file
|
.Op Fl o Ar file
|
||||||
|
.Op Fl -referer= Ns Ar URL
|
||||||
.Op Fl S Ar bytes
|
.Op Fl S Ar bytes
|
||||||
.Op Fl T Ar seconds
|
.Op Fl T Ar seconds
|
||||||
|
.Op Fl -user-agent= Ns Ar agent-string
|
||||||
.Op Fl w Ar seconds
|
.Op Fl w Ar seconds
|
||||||
.Fl h Ar host Fl f Ar file Oo Fl c Ar dir Oc
|
.Fl h Ar host Fl f Ar file Oo Fl c Ar dir Oc
|
||||||
.Sh DESCRIPTION
|
.Sh DESCRIPTION
|
||||||
@ -67,23 +96,26 @@ command line.
|
|||||||
.Pp
|
.Pp
|
||||||
The following options are available:
|
The following options are available:
|
||||||
.Bl -tag -width Fl
|
.Bl -tag -width Fl
|
||||||
.It Fl 1
|
.It Fl 1 , -one-file
|
||||||
Stop and return exit code 0 at the first successfully retrieved file.
|
Stop and return exit code 0 at the first successfully retrieved file.
|
||||||
.It Fl 4
|
.It Fl 4 , -ipv4-only
|
||||||
Forces
|
Forces
|
||||||
.Nm
|
.Nm
|
||||||
to use IPv4 addresses only.
|
to use IPv4 addresses only.
|
||||||
.It Fl 6
|
.It Fl 6 , -ipv6-only
|
||||||
Forces
|
Forces
|
||||||
.Nm
|
.Nm
|
||||||
to use IPv6 addresses only.
|
to use IPv6 addresses only.
|
||||||
.It Fl A
|
.It Fl A , -no-redirect
|
||||||
Do not automatically follow ``temporary'' (302) redirects.
|
Do not automatically follow ``temporary'' (302) redirects.
|
||||||
Some broken Web sites will return a redirect instead of a not-found
|
Some broken Web sites will return a redirect instead of a not-found
|
||||||
error when the requested object does not exist.
|
error when the requested object does not exist.
|
||||||
.It Fl a
|
.It Fl a , -retry
|
||||||
Automatically retry the transfer upon soft failures.
|
Automatically retry the transfer upon soft failures.
|
||||||
.It Fl B Ar bytes
|
.It Fl -allow-sslv2
|
||||||
|
[SSL]
|
||||||
|
Allow SSL version 2 when negotiating the connection.
|
||||||
|
.It Fl B Ar bytes , Fl -buffer-size= Ns Ar bytes
|
||||||
Specify the read buffer size in bytes.
|
Specify the read buffer size in bytes.
|
||||||
The default is 4096 bytes.
|
The default is 4096 bytes.
|
||||||
Attempts to set a buffer size lower than this will be silently
|
Attempts to set a buffer size lower than this will be silently
|
||||||
@ -92,15 +124,43 @@ The number of reads actually performed is reported at verbosity level
|
|||||||
two or higher (see the
|
two or higher (see the
|
||||||
.Fl v
|
.Fl v
|
||||||
flag).
|
flag).
|
||||||
|
.It Fl -bind-address= Ns Ar host
|
||||||
|
Specifies a hostname or IP address to which sockets used for outgoing
|
||||||
|
connections will be bound.
|
||||||
.It Fl c Ar dir
|
.It Fl c Ar dir
|
||||||
The file to retrieve is in directory
|
The file to retrieve is in directory
|
||||||
.Ar dir
|
.Ar dir
|
||||||
on the remote host.
|
on the remote host.
|
||||||
This option is deprecated and is provided for backward compatibility
|
This option is deprecated and is provided for backward compatibility
|
||||||
only.
|
only.
|
||||||
.It Fl d
|
.It Fl -ca-cert= Ns Ar file
|
||||||
|
[SSL]
|
||||||
|
Path to certificate bundle containing trusted CA certificates.
|
||||||
|
If not specified,
|
||||||
|
.Pa /etc/ssl/cert.pem
|
||||||
|
is used.
|
||||||
|
The file may contain multiple CA certificates. The port
|
||||||
|
.Pa security/ca_root_nss
|
||||||
|
is a common source of a current CA bundle.
|
||||||
|
.It Fl -ca-path= Ns Ar dir
|
||||||
|
[SSL]
|
||||||
|
The directory
|
||||||
|
.Ar dir
|
||||||
|
contains trusted CA hashes.
|
||||||
|
.It Fl -cert= Ns Ar file
|
||||||
|
[SSL]
|
||||||
|
.Ar file
|
||||||
|
is a PEM encoded client certificate/key which will be used in
|
||||||
|
client certificate authentication.
|
||||||
|
.It Fl -crl= Ns Ar file
|
||||||
|
[SSL]
|
||||||
|
Points to certificate revocation list
|
||||||
|
.Ar file ,
|
||||||
|
which has to be in PEM format and may contain peer certificates that have
|
||||||
|
been revoked.
|
||||||
|
.It Fl d , -direct
|
||||||
Use a direct connection even if a proxy is configured.
|
Use a direct connection even if a proxy is configured.
|
||||||
.It Fl F
|
.It Fl F , -force-restart
|
||||||
In combination with the
|
In combination with the
|
||||||
.Fl r
|
.Fl r
|
||||||
flag, forces a restart even if the local and remote files have
|
flag, forces a restart even if the local and remote files have
|
||||||
@ -118,17 +178,22 @@ The file to retrieve is located on the host
|
|||||||
.Ar host .
|
.Ar host .
|
||||||
This option is deprecated and is provided for backward compatibility
|
This option is deprecated and is provided for backward compatibility
|
||||||
only.
|
only.
|
||||||
.It Fl i Ar file
|
.It Fl i Ar file , Fl -if-modified-since= Ns Ar file
|
||||||
If-Modified-Since mode: the remote file will only be retrieved if it
|
If-Modified-Since mode: the remote file will only be retrieved if it
|
||||||
is newer than
|
is newer than
|
||||||
.Ar file
|
.Ar file
|
||||||
on the local host.
|
on the local host.
|
||||||
(HTTP only)
|
(HTTP only)
|
||||||
.It Fl l
|
.It Fl -key= Ns Ar file
|
||||||
|
[SSL]
|
||||||
|
.Ar file
|
||||||
|
is a PEM encoded client key that will be used in client certificate
|
||||||
|
authentication in case key and client certificate are stored separately.
|
||||||
|
.It Fl l , -symlink
|
||||||
If the target is a file-scheme URL, make a symbolic link to the target
|
If the target is a file-scheme URL, make a symbolic link to the target
|
||||||
rather than trying to copy it.
|
rather than trying to copy it.
|
||||||
.It Fl M
|
.It Fl M
|
||||||
.It Fl m
|
.It Fl m , -mirror
|
||||||
Mirror mode: if the file already exists locally and has the same size
|
Mirror mode: if the file already exists locally and has the same size
|
||||||
and modification time as the remote file, it will not be fetched.
|
and modification time as the remote file, it will not be fetched.
|
||||||
Note that the
|
Note that the
|
||||||
@ -136,7 +201,7 @@ Note that the
|
|||||||
and
|
and
|
||||||
.Fl r
|
.Fl r
|
||||||
flags are mutually exclusive.
|
flags are mutually exclusive.
|
||||||
.It Fl N Ar file
|
.It Fl N Ar file , Fl -netrc= Ns Ar file
|
||||||
Use
|
Use
|
||||||
.Ar file
|
.Ar file
|
||||||
instead of
|
instead of
|
||||||
@ -146,9 +211,28 @@ See
|
|||||||
.Xr ftp 1
|
.Xr ftp 1
|
||||||
for a description of the file format.
|
for a description of the file format.
|
||||||
This feature is experimental.
|
This feature is experimental.
|
||||||
.It Fl n
|
.It Fl n , -no-mtime
|
||||||
Do not preserve the modification time of the transferred file.
|
Do not preserve the modification time of the transferred file.
|
||||||
.It Fl o Ar file
|
.It Fl -no-passive
|
||||||
|
Forces the FTP code to use active mode.
|
||||||
|
.It Fl -no-proxy= Ns Ar list
|
||||||
|
Either a single asterisk, which disables the use of proxies
|
||||||
|
altogether, or a comma- or whitespace-separated list of hosts for
|
||||||
|
which proxies should not be used.
|
||||||
|
.It Fl -no-sslv3
|
||||||
|
[SSL]
|
||||||
|
Don't allow SSL version 3 when negotiating the connection.
|
||||||
|
.It Fl -no-tlsv1
|
||||||
|
[SSL]
|
||||||
|
Don't allow TLS version 1 when negotiating the connection.
|
||||||
|
.It Fl -no-verify-hostname
|
||||||
|
[SSL]
|
||||||
|
Do not verify that the hostname matches the subject of the
|
||||||
|
certificate presented by the server.
|
||||||
|
.It Fl -no-verify-peer
|
||||||
|
[SSL]
|
||||||
|
Do not verify the peer certificate against trusted CAs.
|
||||||
|
.It Fl o Ar file , Fl output= Ns Ar file
|
||||||
Set the output file name to
|
Set the output file name to
|
||||||
.Ar file .
|
.Ar file .
|
||||||
By default, a ``pathname'' is extracted from the specified URI, and
|
By default, a ``pathname'' is extracted from the specified URI, and
|
||||||
@ -163,36 +247,45 @@ If the
|
|||||||
argument is a directory, fetched file(s) will be placed within the
|
argument is a directory, fetched file(s) will be placed within the
|
||||||
directory, with name(s) selected as in the default behaviour.
|
directory, with name(s) selected as in the default behaviour.
|
||||||
.It Fl P
|
.It Fl P
|
||||||
.It Fl p
|
.It Fl p , -passive
|
||||||
Use passive FTP.
|
Use passive FTP.
|
||||||
These flags have no effect, since passive FTP is the default, but are
|
These flags have no effect, since passive FTP is the default, but are
|
||||||
provided for compatibility with earlier versions where active FTP was
|
provided for compatibility with earlier versions where active FTP was
|
||||||
the default.
|
the default.
|
||||||
To force active mode, set the
|
To force active mode, use the
|
||||||
|
.Fl -no-passive
|
||||||
|
flag or set the
|
||||||
.Ev FTP_PASSIVE_MODE
|
.Ev FTP_PASSIVE_MODE
|
||||||
environment variable to
|
environment variable to
|
||||||
.Ql NO .
|
.Ql NO .
|
||||||
.It Fl q
|
.It Fl -referer= Ns Ar URL
|
||||||
|
Specifies the referrer URL to use for HTTP requests.
|
||||||
|
If
|
||||||
|
.Ar URL
|
||||||
|
is set to
|
||||||
|
.Dq auto ,
|
||||||
|
the document URL will be used as referrer URL.
|
||||||
|
.It Fl q , -quiet
|
||||||
Quiet mode.
|
Quiet mode.
|
||||||
.It Fl R
|
.It Fl R , -keep-output
|
||||||
The output files are precious, and should not be deleted under any
|
The output files are precious, and should not be deleted under any
|
||||||
circumstances, even if the transfer failed or was incomplete.
|
circumstances, even if the transfer failed or was incomplete.
|
||||||
.It Fl r
|
.It Fl r , -restart
|
||||||
Restart a previously interrupted transfer.
|
Restart a previously interrupted transfer.
|
||||||
Note that the
|
Note that the
|
||||||
.Fl m
|
.Fl m
|
||||||
and
|
and
|
||||||
.Fl r
|
.Fl r
|
||||||
flags are mutually exclusive.
|
flags are mutually exclusive.
|
||||||
.It Fl S Ar bytes
|
.It Fl S Ar bytes , Fl -require-size= Ns Ar bytes
|
||||||
Require the file size reported by the server to match the specified
|
Require the file size reported by the server to match the specified
|
||||||
value.
|
value.
|
||||||
If it does not, a message is printed and the file is not fetched.
|
If it does not, a message is printed and the file is not fetched.
|
||||||
If the server does not support reporting file sizes, this option is
|
If the server does not support reporting file sizes, this option is
|
||||||
ignored and the file is fetched unconditionally.
|
ignored and the file is fetched unconditionally.
|
||||||
.It Fl s
|
.It Fl s , -print-size
|
||||||
Print the size in bytes of each requested file, without fetching it.
|
Print the size in bytes of each requested file, without fetching it.
|
||||||
.It Fl T Ar seconds
|
.It Fl T Ar seconds , Fl -timeout= Ns Ar seconds
|
||||||
Set timeout value to
|
Set timeout value to
|
||||||
.Ar seconds .
|
.Ar seconds .
|
||||||
Overrides the environment variables
|
Overrides the environment variables
|
||||||
@ -200,15 +293,19 @@ Overrides the environment variables
|
|||||||
for FTP transfers or
|
for FTP transfers or
|
||||||
.Ev HTTP_TIMEOUT
|
.Ev HTTP_TIMEOUT
|
||||||
for HTTP transfers if set.
|
for HTTP transfers if set.
|
||||||
.It Fl U
|
.It Fl U , -passive-portrange-default
|
||||||
When using passive FTP, allocate the port for the data connection from
|
When using passive FTP, allocate the port for the data connection from
|
||||||
the low (default) port range.
|
the low (default) port range.
|
||||||
See
|
See
|
||||||
.Xr ip 4
|
.Xr ip 4
|
||||||
for details on how to specify which port range this corresponds to.
|
for details on how to specify which port range this corresponds to.
|
||||||
.It Fl v
|
.It Fl -user-agent= Ns Ar agent-string
|
||||||
|
Specifies the User-Agent string to use for HTTP requests.
|
||||||
|
This can be useful when working with HTTP origin or proxy servers that
|
||||||
|
differentiate between user agents.
|
||||||
|
.It Fl v , -verbose
|
||||||
Increase verbosity level.
|
Increase verbosity level.
|
||||||
.It Fl w Ar seconds
|
.It Fl w Ar seconds , Fl -retry-delay= Ns Ar seconds
|
||||||
When the
|
When the
|
||||||
.Fl a
|
.Fl a
|
||||||
flag is specified, wait this many seconds between successive retries.
|
flag is specified, wait this many seconds between successive retries.
|
||||||
@ -249,9 +346,19 @@ for a description of additional environment variables, including
|
|||||||
.Ev HTTP_REFERER ,
|
.Ev HTTP_REFERER ,
|
||||||
.Ev HTTP_USER_AGENT ,
|
.Ev HTTP_USER_AGENT ,
|
||||||
.Ev NETRC ,
|
.Ev NETRC ,
|
||||||
.Ev NO_PROXY
|
.Ev NO_PROXY ,
|
||||||
|
.Ev no_proxy ,
|
||||||
|
.Ev SSL_ALLOW_SSL2 ,
|
||||||
|
.Ev SSL_CA_CERT_FILE ,
|
||||||
|
.Ev SSL_CA_CERT_PATH ,
|
||||||
|
.Ev SSL_CLIENT_CERT_FILE ,
|
||||||
|
.Ev SSL_CLIENT_KEY_FILE ,
|
||||||
|
.Ev SSL_CRL_FILE ,
|
||||||
|
.Ev SSL_NO_SSL3 ,
|
||||||
|
.Ev SSL_NO_TLS1 ,
|
||||||
|
.Ev SSL_NO_VERIFY_HOSTNAME
|
||||||
and
|
and
|
||||||
.Ev no_proxy .
|
.Ev SSL_NO_VERIFY_PEER .
|
||||||
.Sh EXIT STATUS
|
.Sh EXIT STATUS
|
||||||
The
|
The
|
||||||
.Nm
|
.Nm
|
||||||
@ -288,7 +395,9 @@ by
|
|||||||
and later completely rewritten to use the
|
and later completely rewritten to use the
|
||||||
.Xr fetch 3
|
.Xr fetch 3
|
||||||
library by
|
library by
|
||||||
.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org .
|
.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org
|
||||||
|
and
|
||||||
|
.An Michael Gmelin Aq freebsd@grem.de .
|
||||||
.Sh NOTES
|
.Sh NOTES
|
||||||
The
|
The
|
||||||
.Fl b
|
.Fl b
|
||||||
|
@ -1,5 +1,6 @@
|
|||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2000-2011 Dag-Erling Smørgrav
|
* Copyright (c) 2000-2011 Dag-Erling Smørgrav
|
||||||
|
* Copyright (c) 2013 Michael Gmelin <freebsd@grem.de>
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* Redistribution and use in source and binary forms, with or without
|
||||||
@ -37,6 +38,7 @@ __FBSDID("$FreeBSD$");
|
|||||||
#include <ctype.h>
|
#include <ctype.h>
|
||||||
#include <err.h>
|
#include <err.h>
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
|
#include <getopt.h>
|
||||||
#include <signal.h>
|
#include <signal.h>
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
@ -93,6 +95,78 @@ static long ftp_timeout = TIMEOUT; /* default timeout for FTP transfers */
|
|||||||
static long http_timeout = TIMEOUT;/* default timeout for HTTP transfers */
|
static long http_timeout = TIMEOUT;/* default timeout for HTTP transfers */
|
||||||
static char *buf; /* transfer buffer */
|
static char *buf; /* transfer buffer */
|
||||||
|
|
||||||
|
enum options
|
||||||
|
{
|
||||||
|
OPTION_BIND_ADDRESS,
|
||||||
|
OPTION_NO_FTP_PASSIVE_MODE,
|
||||||
|
OPTION_HTTP_REFERER,
|
||||||
|
OPTION_HTTP_USER_AGENT,
|
||||||
|
OPTION_NO_PROXY,
|
||||||
|
OPTION_SSL_ALLOW_SSL2,
|
||||||
|
OPTION_SSL_CA_CERT_FILE,
|
||||||
|
OPTION_SSL_CA_CERT_PATH,
|
||||||
|
OPTION_SSL_CLIENT_CERT_FILE,
|
||||||
|
OPTION_SSL_CLIENT_KEY_FILE,
|
||||||
|
OPTION_SSL_CRL_FILE,
|
||||||
|
OPTION_SSL_NO_SSL3,
|
||||||
|
OPTION_SSL_NO_TLS1,
|
||||||
|
OPTION_SSL_NO_VERIFY_HOSTNAME,
|
||||||
|
OPTION_SSL_NO_VERIFY_PEER
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
static struct option longopts[] =
|
||||||
|
{
|
||||||
|
/* mapping to single character argument */
|
||||||
|
{ "one-file", no_argument, NULL, '1' },
|
||||||
|
{ "ipv4-only", no_argument, NULL, '4' },
|
||||||
|
{ "ipv6-only", no_argument, NULL, '6' },
|
||||||
|
{ "no-redirect", no_argument, NULL, 'A' },
|
||||||
|
{ "retry", no_argument, NULL, 'a' },
|
||||||
|
{ "buffer-size", required_argument, NULL, 'B' },
|
||||||
|
/* -c not mapped, since it's deprecated */
|
||||||
|
{ "direct", no_argument, NULL, 'd' },
|
||||||
|
{ "force-restart", no_argument, NULL, 'F' },
|
||||||
|
/* -f not mapped, since it's deprecated */
|
||||||
|
/* -h not mapped, since it's deprecated */
|
||||||
|
{ "if-modified-since", required_argument, NULL, 'i' },
|
||||||
|
{ "symlink", no_argument, NULL, 'l' },
|
||||||
|
/* -M not mapped since it's the same as -m */
|
||||||
|
{ "mirror", no_argument, NULL, 'm' },
|
||||||
|
{ "netrc", required_argument, NULL, 'N' },
|
||||||
|
{ "no-mtime", no_argument, NULL, 'n' },
|
||||||
|
{ "output", required_argument, NULL, 'o' },
|
||||||
|
/* -P not mapped since it's the same as -p */
|
||||||
|
{ "passive", no_argument, NULL, 'p' },
|
||||||
|
{ "quiet", no_argument, NULL, 'q' },
|
||||||
|
{ "keep-output", no_argument, NULL, 'R' },
|
||||||
|
{ "restart", no_argument, NULL, 'r' },
|
||||||
|
{ "require-size", required_argument, NULL, 'S' },
|
||||||
|
{ "print-size", no_argument, NULL, 's' },
|
||||||
|
{ "timeout", required_argument, NULL, 'T' },
|
||||||
|
{ "passive-portrange-default", no_argument, NULL, 'T' },
|
||||||
|
{ "verbose", no_argument, NULL, 'v' },
|
||||||
|
{ "retry-delay", required_argument, NULL, 'w' },
|
||||||
|
|
||||||
|
/* options without a single character equivalent */
|
||||||
|
{ "bind-address", required_argument, NULL, OPTION_BIND_ADDRESS },
|
||||||
|
{ "no-passive", no_argument, NULL, OPTION_NO_FTP_PASSIVE_MODE },
|
||||||
|
{ "referer", required_argument, NULL, OPTION_HTTP_REFERER },
|
||||||
|
{ "user-agent", required_argument, NULL, OPTION_HTTP_USER_AGENT },
|
||||||
|
{ "no-proxy", required_argument, NULL, OPTION_NO_PROXY },
|
||||||
|
{ "allow-sslv2", no_argument, NULL, OPTION_SSL_ALLOW_SSL2 },
|
||||||
|
{ "ca-cert", required_argument, NULL, OPTION_SSL_CA_CERT_FILE },
|
||||||
|
{ "ca-path", required_argument, NULL, OPTION_SSL_CA_CERT_PATH },
|
||||||
|
{ "cert", required_argument, NULL, OPTION_SSL_CLIENT_CERT_FILE },
|
||||||
|
{ "key", required_argument, NULL, OPTION_SSL_CLIENT_KEY_FILE },
|
||||||
|
{ "crl", required_argument, NULL, OPTION_SSL_CRL_FILE },
|
||||||
|
{ "no-sslv3", no_argument, NULL, OPTION_SSL_NO_SSL3 },
|
||||||
|
{ "no-tlsv1", no_argument, NULL, OPTION_SSL_NO_TLS1 },
|
||||||
|
{ "no-verify-hostname", no_argument, NULL, OPTION_SSL_NO_VERIFY_HOSTNAME },
|
||||||
|
{ "no-verify-peer", no_argument, NULL, OPTION_SSL_NO_VERIFY_PEER },
|
||||||
|
|
||||||
|
{ NULL, 0, NULL, 0 }
|
||||||
|
};
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Signal handler
|
* Signal handler
|
||||||
@ -769,11 +843,19 @@ fetch(char *URL, const char *path)
|
|||||||
static void
|
static void
|
||||||
usage(void)
|
usage(void)
|
||||||
{
|
{
|
||||||
fprintf(stderr, "%s\n%s\n%s\n%s\n",
|
fprintf(stderr, "%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n",
|
||||||
"usage: fetch [-146AadFlMmnPpqRrsUv] [-B bytes] [-N file] [-o file] [-S bytes]",
|
"usage: fetch [-146AadFlMmnPpqRrsUv] [--allow-sslv2] [-B bytes]",
|
||||||
" [-T seconds] [-w seconds] [-i file] URL ...",
|
" [--bind-address=host] [--ca-cert=file] [--ca-path=dir] [--cert=file]",
|
||||||
" fetch [-146AadFlMmnPpqRrsUv] [-B bytes] [-N file] [-o file] [-S bytes]",
|
" [--crl=file] [-i file] [--key=file] [-N file] [--no-passive]",
|
||||||
" [-T seconds] [-w seconds] [-i file] -h host -f file [-c dir]");
|
" [--no-proxy=list] [--no-sslv3] [--no-tlsv1] [--no-verify-hostname]",
|
||||||
|
" [--no-verify-peer] [-o file] [--referer=URL] [-S bytes] [-T seconds]",
|
||||||
|
" [--user-agent=agent-string] [-w seconds] URL ...",
|
||||||
|
" fetch [-146AadFlMmnPpqRrsUv] [--allow-sslv2] [-B bytes]",
|
||||||
|
" [--bind-address=host] [--ca-cert=file] [--ca-path=dir] [--cert=file]",
|
||||||
|
" [--crl=file] [-i file] [--key=file] [-N file] [--no-passive]",
|
||||||
|
" [--no-proxy=list] [--no-sslv3] [--no-tlsv1] [--no-verify-hostname]",
|
||||||
|
" [--no-verify-peer] [-o file] [--referer=URL] [-S bytes] [-T seconds]",
|
||||||
|
" [--user-agent=agent-string] [-w seconds] -h host -f file [-c dir]");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -789,8 +871,10 @@ main(int argc, char *argv[])
|
|||||||
char *end, *q;
|
char *end, *q;
|
||||||
int c, e, r;
|
int c, e, r;
|
||||||
|
|
||||||
while ((c = getopt(argc, argv,
|
|
||||||
"146AaB:bc:dFf:Hh:i:lMmN:nPpo:qRrS:sT:tUvw:")) != -1)
|
while ((c = getopt_long(argc, argv,
|
||||||
|
"146AaB:bc:dFf:Hh:i:lMmN:nPpo:qRrS:sT:tUvw:",
|
||||||
|
longopts, NULL)) != -1)
|
||||||
switch (c) {
|
switch (c) {
|
||||||
case '1':
|
case '1':
|
||||||
once_flag = 1;
|
once_flag = 1;
|
||||||
@ -904,6 +988,51 @@ main(int argc, char *argv[])
|
|||||||
if (*optarg == '\0' || *end != '\0')
|
if (*optarg == '\0' || *end != '\0')
|
||||||
errx(1, "invalid delay (%s)", optarg);
|
errx(1, "invalid delay (%s)", optarg);
|
||||||
break;
|
break;
|
||||||
|
case OPTION_BIND_ADDRESS:
|
||||||
|
setenv("FETCH_BIND_ADDRESS", optarg, 1);
|
||||||
|
break;
|
||||||
|
case OPTION_NO_FTP_PASSIVE_MODE:
|
||||||
|
setenv("FTP_PASSIVE_MODE", "no", 1);
|
||||||
|
break;
|
||||||
|
case OPTION_HTTP_REFERER:
|
||||||
|
setenv("HTTP_REFERER", optarg, 1);
|
||||||
|
break;
|
||||||
|
case OPTION_HTTP_USER_AGENT:
|
||||||
|
setenv("HTTP_USER_AGENT", optarg, 1);
|
||||||
|
break;
|
||||||
|
case OPTION_NO_PROXY:
|
||||||
|
setenv("NO_PROXY", optarg, 1);
|
||||||
|
break;
|
||||||
|
case OPTION_SSL_ALLOW_SSL2:
|
||||||
|
setenv("SSL_ALLOW_SSL2", "", 1);
|
||||||
|
break;
|
||||||
|
case OPTION_SSL_CA_CERT_FILE:
|
||||||
|
setenv("SSL_CA_CERT_FILE", optarg, 1);
|
||||||
|
break;
|
||||||
|
case OPTION_SSL_CA_CERT_PATH:
|
||||||
|
setenv("SSL_CA_CERT_PATH", optarg, 1);
|
||||||
|
break;
|
||||||
|
case OPTION_SSL_CLIENT_CERT_FILE:
|
||||||
|
setenv("SSL_CLIENT_CERT_FILE", optarg, 1);
|
||||||
|
break;
|
||||||
|
case OPTION_SSL_CLIENT_KEY_FILE:
|
||||||
|
setenv("SSL_CLIENT_KEY_FILE", optarg, 1);
|
||||||
|
break;
|
||||||
|
case OPTION_SSL_CRL_FILE:
|
||||||
|
setenv("SSL_CLIENT_CRL_FILE", optarg, 1);
|
||||||
|
break;
|
||||||
|
case OPTION_SSL_NO_SSL3:
|
||||||
|
setenv("SSL_NO_SSL3", "", 1);
|
||||||
|
break;
|
||||||
|
case OPTION_SSL_NO_TLS1:
|
||||||
|
setenv("SSL_NO_TLS1", "", 1);
|
||||||
|
break;
|
||||||
|
case OPTION_SSL_NO_VERIFY_HOSTNAME:
|
||||||
|
setenv("SSL_NO_VERIFY_HOSTNAME", "", 1);
|
||||||
|
break;
|
||||||
|
case OPTION_SSL_NO_VERIFY_PEER:
|
||||||
|
setenv("SSL_NO_VERIFY_PEER", "", 1);
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
usage();
|
usage();
|
||||||
exit(1);
|
exit(1);
|
||||||
|
Loading…
Reference in New Issue
Block a user