From 6a0e7acbf01e22665d89a9c6556f3a8220a78756 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Fri, 30 Jun 2017 17:20:21 +0200 Subject: TLS support: Error out on unsupported curl options Silently ignoring the options might be a security issue, so produce an error instead. --- methods/connect.cc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/methods/connect.cc b/methods/connect.cc index 0d4b3e26f..97057286e 100644 --- a/methods/connect.cc +++ b/methods/connect.cc @@ -697,8 +697,10 @@ bool UnwrapTLS(std::string Host, std::unique_ptr &Fd, return _error->Error("Could not load CaInfo certificate: %s", gnutls_strerror(err)); } - // TODO: IssuerCert AKA CURLOPT_ISSUERCERT - // TODO: Emulate SslForceVersion AKA CURLOPT_SSLVERSION? + if (!Owner->ConfigFind("IssuerCert", "").empty()) + return _error->Error("The option '%s' is not supported anymore", "IssuerCert"); + if (!Owner->ConfigFind("SslForceVersion", "").empty()) + return _error->Error("The option '%s' is not supported anymore", "SslForceVersion"); // For client authentication, certificate file ... std::string const cert = Owner->ConfigFind("SslCert", ""); -- cgit v1.2.3