Skip to content

Commit

Permalink
set TLS option CURLSSLOPT_REVOKE_BEST_EFFORT
Browse files Browse the repository at this point in the history
The Windows native TLS backend (Schannel) makes synchronous certificate
revocation checks against a CRL server. For users behind a firewall,
this server may be unreachable, causing the TLS connection to fail. The
CURLSSLOPT_REVOKE_BEST_EFFORT option addresses precisely this situation,
configuring Schannel to make a best effort revocation check but allowing
the connection if the CRL server cannot be reached, as long as the
certificate isn't already known to be revoked. This behavior matches the
default revocation checking behavior on macOS (asynchronous best effort)
and is strictly more secure than Linux where no CRL checking is done.

Since the typical advice in such situations is to disable TLS host
verification entirely, this is an improvement in that with this option,
so long as the client's system CA roots are configured correctly, host
verification will work and at least local MITM attcks are prevented.
  • Loading branch information
StefanKarpinski committed Apr 21, 2021
1 parent 6bddc0b commit 34deb3f
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 4 deletions.
4 changes: 4 additions & 0 deletions src/Curl/Curl.jl
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,10 @@ using LibCURL
using LibCURL: curl_off_t
# not exported: https://github.com/JuliaWeb/LibCURL.jl/issues/87

# constants that LibCURL should have but doesn't
const CURLE_PEER_FAILED_VERIFICATION = 60
const CURLSSLOPT_REVOKE_BEST_EFFORT = 1 << 3

using NetworkOptions
using Base: preserve_handle, unpreserve_handle

Expand Down
1 change: 1 addition & 0 deletions src/Curl/Easy.jl
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ function set_defaults(easy::Easy)
setopt(easy, CURLOPT_USERAGENT, USER_AGENT)
setopt(easy, CURLOPT_NETRC, CURL_NETRC_OPTIONAL)
setopt(easy, CURLOPT_COOKIEFILE, "")
setopt(easy, CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT)

# ssh-related options
setopt(easy, CURLOPT_SSH_PRIVATE_KEYFILE, ssh_key_path())
Expand Down
5 changes: 1 addition & 4 deletions test/runtests.jl
Original file line number Diff line number Diff line change
Expand Up @@ -414,10 +414,7 @@ include("setup.jl")
@testset "bad TLS is rejected" for url in urls
resp = request(url, throw=false)
@test resp isa RequestError
# FIXME: we should use Curl.CURLE_PEER_FAILED_VERIFICATION
# but LibCURL has gotten out of sync with curl and some
# of the constants are no longer correct; this is one
@test resp.code == 60
@test resp.code == Curl.CURLE_PEER_FAILED_VERIFICATION
end
@testset "easy hook work-around" begin
local url
Expand Down

0 comments on commit 34deb3f

Please sign in to comment.