Merge #172576: curl: 7.83.0 -> 7.83.1 (into staging)
This commit is contained in:
commit
d4a324dd5e
2 changed files with 57 additions and 4 deletions
|
@ -0,0 +1,51 @@
|
|||
diff --git a/lib/vquic/quiche.c b/lib/vquic/quiche.c
|
||||
index bfdc966a85ea..e4bea4d677be 100644
|
||||
--- a/lib/vquic/quiche.c
|
||||
+++ b/lib/vquic/quiche.c
|
||||
@@ -201,23 +201,31 @@ static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data)
|
||||
|
||||
{
|
||||
struct connectdata *conn = data->conn;
|
||||
- const char * const ssl_cafile = conn->ssl_config.CAfile;
|
||||
- const char * const ssl_capath = conn->ssl_config.CApath;
|
||||
-
|
||||
if(conn->ssl_config.verifypeer) {
|
||||
- SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
|
||||
- /* tell OpenSSL where to find CA certificates that are used to verify
|
||||
- the server's certificate. */
|
||||
- if(!SSL_CTX_load_verify_locations(ssl_ctx, ssl_cafile, ssl_capath)) {
|
||||
- /* Fail if we insist on successfully verifying the server. */
|
||||
- failf(data, "error setting certificate verify locations:"
|
||||
- " CAfile: %s CApath: %s",
|
||||
- ssl_cafile ? ssl_cafile : "none",
|
||||
- ssl_capath ? ssl_capath : "none");
|
||||
- return NULL;
|
||||
+ const char * const ssl_cafile = conn->ssl_config.CAfile;
|
||||
+ const char * const ssl_capath = conn->ssl_config.CApath;
|
||||
+ if(ssl_cafile || ssl_capath) {
|
||||
+ SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
|
||||
+ /* tell OpenSSL where to find CA certificates that are used to verify
|
||||
+ the server's certificate. */
|
||||
+ if(!SSL_CTX_load_verify_locations(ssl_ctx, ssl_cafile, ssl_capath)) {
|
||||
+ /* Fail if we insist on successfully verifying the server. */
|
||||
+ failf(data, "error setting certificate verify locations:"
|
||||
+ " CAfile: %s CApath: %s",
|
||||
+ ssl_cafile ? ssl_cafile : "none",
|
||||
+ ssl_capath ? ssl_capath : "none");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");
|
||||
+ infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none");
|
||||
}
|
||||
- infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");
|
||||
- infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none");
|
||||
+#ifdef CURL_CA_FALLBACK
|
||||
+ else {
|
||||
+ /* verifying the peer without any CA certificates won't work so
|
||||
+ use openssl's built-in default as fallback */
|
||||
+ SSL_CTX_set_default_verify_paths(ssl_ctx);
|
||||
+ }
|
||||
+#endif
|
||||
}
|
||||
}
|
||||
return ssl_ctx;
|
|
@ -62,18 +62,21 @@ assert zstdSupport -> zstd != null;
|
|||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "curl";
|
||||
version = "7.83.0";
|
||||
version = "7.83.1";
|
||||
|
||||
src = fetchurl {
|
||||
urls = [
|
||||
"https://curl.haxx.se/download/${pname}-${version}.tar.bz2"
|
||||
"https://github.com/curl/curl/releases/download/${lib.replaceStrings ["."] ["_"] pname}-${version}/${pname}-${version}.tar.bz2"
|
||||
];
|
||||
sha256 = "sha256-JHx+x1IcQljmVjTlKScNIU/jKWmXHMy3KEXnqkaDH5Y=";
|
||||
sha256 = "sha256-9Tmjb7RKgmDsXZd+Tg290u7intkPztqpvDyfeKETv/A=";
|
||||
};
|
||||
|
||||
patches = [
|
||||
./7.79.1-darwin-no-systemconfiguration.patch
|
||||
# quiche: support ca-fallback
|
||||
# https://github.com/curl/curl/commit/fdb5e21b4dd171a96cf7c002ee77bb08f8e58021
|
||||
./7.83.1-quiche-support-ca-fallback.patch
|
||||
];
|
||||
|
||||
outputs = [ "bin" "dev" "out" "man" "devdoc" ];
|
||||
|
@ -141,8 +144,7 @@ stdenv.mkDerivation rec {
|
|||
] ++ lib.optionals stdenv.isDarwin [
|
||||
# Disable default CA bundle, use NIX_SSL_CERT_FILE or fallback to nss-cacert from the default profile.
|
||||
# Without this curl might detect /etc/ssl/cert.pem at build time on macOS, causing curl to ignore NIX_SSL_CERT_FILE.
|
||||
# https://github.com/curl/curl/issues/8696 - fallback is not supported by HTTP3
|
||||
(if http3Support then "--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt" else "--without-ca-bundle")
|
||||
"--without-ca-bundle"
|
||||
"--without-ca-path"
|
||||
];
|
||||
|
||||
|
|
Loading…
Reference in a new issue