Hello,
With the ecore_con_url module, an application can take advantage of
SSL/TLS connections (using HTTPS requests for instance) in order to
exchange sensitive data with a server. However, the connection will
always fail if the server certificate isn't signed by a certificate
authority (CA) that is trusted by the system on which the application is
run. There's no way to specify a custom CA to identify a specific
server, or to disable CA validation for a specific connection. Also,
it's not always possible (or a good solution) to add CAs to the ones the
target system trusts, because admin rights are needed to do so most of
the time.
The attached patch adds a method to specify custom CAs to be used for
validating the server certificate of a specific SSL-based request in
order to fix the above-mentioned issue. That method may also be used to
completely disable CA validation for the server certificate when server
identification isn't needed.
The javascript binding for that method is also included at the end of
the patch.
Please, consider that patch for inclusion in the trunk.
Regards.
--
PnB
Index: ecore/src/lib/ecore_con/ecore_con_url.c
===================================================================
--- ecore/src/lib/ecore_con/ecore_con_url.c (revision 55780)
+++ ecore/src/lib/ecore_con/ecore_con_url.c (working copy)
@@ -1061,6 +1061,55 @@
}
/**
+ * Set a custom CA to trust for SSL/TLS connections.
+ *
+ * Specify the path of a file (in PEM format) containing one or more
+ * CA certificate(s) to use for the validation of the server certificate.
+ *
+ * This function can also disable CA validation if @p ca_path is @c NULL.
+ * However, the server certificate still needs to be valid for the connection
+ * to succeed (i.e., the certificate must concern the server the
+ * connection is made to).
+ *
+ * @param url_con Connection object that will use the custom CA.
+ * @param ca_path Path to a CA certificate(s) file or @c NULL to disable
+ * CA validation.
+ *
+ * @return @c 0 on success. When cURL is used, non-zero return values
+ * are equal to cURL error codes.
+ */
+EAPI int
+ecore_con_url_ssl_ca_set(Ecore_Con_Url *url_con, const char *ca_path)
+{
+ int res = -1;
+
+#ifdef HAVE_CURL
+ if (!ECORE_MAGIC_CHECK(url_con, ECORE_MAGIC_CON_URL))
+ {
+ ECORE_MAGIC_FAIL(url_con, ECORE_MAGIC_CON_URL,
"ecore_con_url_ssl_ca_set");
+ return -1;
+ }
+
+ if (url_con->active) return -1;
+ if (!url_con->url) return -1;
+ if (ca_path == NULL)
+ res = curl_easy_setopt(url_con->curl_easy, CURLOPT_SSL_VERIFYPEER, 0);
+ else
+ {
+ res = curl_easy_setopt(url_con->curl_easy, CURLOPT_SSL_VERIFYPEER, 1);
+ if (!res)
+ res = curl_easy_setopt(url_con->curl_easy, CURLOPT_CAINFO, ca_path);
+ }
+#else
+ (void)url_con;
+ (void)ca_path;
+#endif
+
+ return res;
+}
+
+
+/**
* @}
*/
Index: ecore/src/lib/ecore_con/Ecore_Con.h
===================================================================
--- ecore/src/lib/ecore_con/Ecore_Con.h (revision 55780)
+++ ecore/src/lib/ecore_con/Ecore_Con.h (working copy)
@@ -524,6 +524,8 @@
Eina_Bool verbose);
EAPI void ecore_con_url_ftp_use_epsv_set(Ecore_Con_Url *url_con,
Eina_Bool use_epsv);
+EAPI int ecore_con_url_ssl_ca_set(Ecore_Con_Url *url_con,
+ const char *ca_path);
/**
* @}
Index: BINDINGS/javascript/elixir/src/modules/bindings/ecore_con/ecore_con.c
===================================================================
--- BINDINGS/javascript/elixir/src/modules/bindings/ecore_con/ecore_con.c
(revision 55780)
+++ BINDINGS/javascript/elixir/src/modules/bindings/ecore_con/ecore_con.c
(working copy)
@@ -1610,6 +1610,27 @@
return JS_TRUE;
}
+static JSBool
+elixir_ecore_con_url_ssl_ca_set(JSContext *cx, uintN argc, jsval *vp)
+{
+ Ecore_Con_Url *curl;
+ const char *filename;
+ const char *user;
+ const char *pass;
+ const char *upload_dir;
+ elixir_value_t val[2];
+
+ if (!elixir_params_check(cx, _ecore_con_url_string_params, val, argc,
JS_ARGV(cx, vp)))
+ return JS_FALSE;
+
+ GET_PRIVATE(cx, val[0].v.obj, curl);
+ filename = elixir_file_canonicalize(elixir_get_string_bytes(val[1].v.str,
NULL));
+
+ JS_SET_RVAL(cx, vp, INT_TO_JSVAL(ecore_con_url_ssl_ca_set(curl, filename)));
+
+ return JS_TRUE;
+}
+
static void
_elixir_ecore_con_lookup_cb(const char *canonname,
const char *ip,
@@ -1717,6 +1738,7 @@
ELIXIR_FN(ecore_con_url_time, 3, JSPROP_ENUMERATE, 0 ),
ELIXIR_FN(ecore_con_url_ftp_upload, 4, JSPROP_ENUMERATE, 0 ),
ELIXIR_FN(ecore_con_lookup, 3, JSPROP_ENUMERATE, 0),
+ ELIXIR_FN(ecore_con_url_ssl_ca_set, 2, JSPROP_ENUMERATE, 0 ),
JS_FS_END
};
------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and,
should the need arise, upgrade to a full multi-node Oracle RAC database
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
enlightenment-devel mailing list
enlightenment-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
