ucb/source/ucp/webdav-curl/CurlSession.cxx | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
New commits:
commit 413ce31fd190a39c91204c350edf45a5ea5eb114
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Fri Aug 12 16:43:12 2022 +0200
Commit: Caolán McNamara <caol...@redhat.com>
CommitDate: Mon Aug 15 13:16:26 2022 +0200
tdf#149921 ucb: webdav-curl: WNT: certificate revocation check
- don't require it to be successful.
Trying to connect to a server with self-signed CA results in:
warn:ucb.ucp.webdav.curl:6796:6568:ucb/source/ucp/webdav-curl/CurlSession.cxx:946:
curl_easy_perform failed: (35) schannel: next InitializeSecurityContext
failed:
Unknown error (0x80092012) - The revocation function was unable to check
revocation for the certificate.
Apparently schannel wants to check by default (called with
SCH_CRED_REVOCATION_CHECK_CHAIN) that all the certificates aren't
revoked, but the self-signed CA doesn't specify how to check.
Set it to only check revocation when the way to do so actually works,
via CURLSSLOPT_REVOKE_BEST_EFFORT, which sets these flags:
SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE |
SCH_CRED_REVOCATION_CHECK_CHAIN
Change-Id: I6d77ca23fe2012d8a5d65000b14775070b5c9a0f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/138204
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 3917867b80825f5b4daa4dd8a33c311deb4539bf)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/138275
Reviewed-by: Caolán McNamara <caol...@redhat.com>
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx
b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index 09f36de25a34..85b2edc3c68a 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -677,8 +677,17 @@
CurlSession::CurlSession(uno::Reference<uno::XComponentContext> const& xContext,
rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_READFUNCTION, &read_callback);
assert(rc == CURLE_OK);
rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HEADERFUNCTION,
&header_callback);
- // set this initially, may be overwritten during authentication
assert(rc == CURLE_OK);
+ // tdf#149921 by default, with schannel (WNT) connection fails if
revocation
+ // lists cannot be checked; try to limit the checking to when revocation
+ // lists can actually be retrieved (usually not the case for self-signed
CA)
+#if CURL_AT_LEAST_VERSION(7, 70, 0)
+ rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS,
CURLSSLOPT_REVOKE_BEST_EFFORT);
+ assert(rc == CURLE_OK);
+ rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS,
CURLSSLOPT_REVOKE_BEST_EFFORT);
+ assert(rc == CURLE_OK);
+#endif
+ // set this initially, may be overwritten during authentication
rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HTTPAUTH, CURLAUTH_ANY);
assert(rc == CURLE_OK); // ANY is always available
// always set CURLOPT_PROXY to suppress proxy detection in libcurl
