https://issues.shibboleth.net/jira/browse/CPPXT-101

[shibboleth/cpp-xmltooling.git] / xmltooling / soap / impl / CURLSOAPTransport.cpp

diff --git a/xmltooling/soap/impl/CURLSOAPTransport.cpp b/xmltooling/soap/impl/CURLSOAPTransport.cpp
index d91ecfc..26d3bc6 100644 (file)
--- a/xmltooling/soap/impl/CURLSOAPTransport.cpp
+++ b/xmltooling/soap/impl/CURLSOAPTransport.cpp
@@ -76,7 +76,7 @@ namespace xmltooling {
 #ifndef XMLTOOLING_NO_XMLSEC
                     m_cred(nullptr), m_trustEngine(nullptr), m_peerResolver(nullptr), m_mandatory(false),
 #endif
-                    m_openssl_ops(SSL_OP_ALL|SSL_OP_NO_SSLv2), m_ssl_callback(nullptr), m_ssl_userptr(nullptr),
+                    m_openssl_ops(SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3), m_ssl_callback(nullptr), m_ssl_userptr(nullptr),
                     m_chunked(true), m_authenticated(false), m_cacheTag(nullptr) {
             m_handle = g_CURLPool->get(addr);
             curl_easy_setopt(m_handle,CURLOPT_URL,addr.m_endpoint);
@@ -535,11 +535,11 @@ void CURLSOAPTransport::send(istream* in)
     m_useragent = XMLToolingConfig::getConfig().user_agent;
     if (!m_useragent.empty()) {
         curl_version_info_data* curlver = curl_version_info(CURLVERSION_NOW);
-        m_useragent += " libcurl/";
-        if (curlver)
-            m_useragent = m_useragent + curlver->version + ' ' + curlver->ssl_version;
-        else
-            m_useragent = m_useragent + LIBCURL_VERSION + ' ' + OPENSSL_VERSION_TEXT;
+
+        if (curlver) {
+            m_useragent = m_useragent + " libcurl/" + curlver->version + ' ' + curlver->ssl_version;
+        }
+
         curl_easy_setopt(m_handle, CURLOPT_USERAGENT, m_useragent.c_str());
     }
 
@@ -568,7 +568,11 @@ void CURLSOAPTransport::send(istream* in)
 
     // Make the call.
     log.debug("sending SOAP message to %s", m_endpoint.c_str());
-    if (curl_easy_perform(m_handle) != CURLE_OK) {
+    CURLcode code = curl_easy_perform(m_handle);
+    if (code != CURLE_OK) {
+        if (code == CURLE_SSL_CIPHER) {
+            log.error("on Red Hat 6+, make sure libcurl used is built with OpenSSL");
+        }
         throw IOException(
             string("CURLSOAPTransport failed while contacting SOAP endpoint (") + m_endpoint + "): " +
                 (curl_errorbuf[0] ? curl_errorbuf : "no further information available"));
@@ -705,9 +709,9 @@ CURLcode xmltooling::xml_ssl_ctx_callback(CURL* curl, SSL_CTX* ssl_ctx, void* us
 {
     CURLSOAPTransport* conf = reinterpret_cast<CURLSOAPTransport*>(userptr);
 
-    // Default flags manually disable SSLv2 so we're not dependent on libcurl to do it.
-    // Also disable the ticket option where implemented, since this breaks a variety
-    // of servers. Newer libcurl also does this for us.
+    // Default flags manually disable SSLv2 and SSLv3 so we're not dependent on libcurl
+    // to do it. Also disable the ticket option where implemented, since this breaks a
+    // variety of servers. Newer libcurl also does this for us.
 #ifdef SSL_OP_NO_TICKET
     SSL_CTX_set_options(ssl_ctx, conf->m_openssl_ops|SSL_OP_NO_TICKET);
 #else