{
public:
CURLPool() : m_size(0), m_lock(Mutex::create()),
- m_log(Category::getInstance(XMLTOOLING_LOGCAT".SOAPTransport.CURL")) {}
+ m_log(Category::getInstance(XMLTOOLING_LOGCAT ".SOAPTransport.CURL")) {}
~CURLPool();
CURL* get(const SOAPTransport::Address& addr);
public:
CURLSOAPTransport(const Address& addr)
: m_sender(addr.m_from ? addr.m_from : ""), m_peerName(addr.m_to ? addr.m_to : ""), m_endpoint(addr.m_endpoint),
- m_handle(nullptr), m_headers(nullptr),
+ m_handle(nullptr), m_keepHandle(false), m_headers(nullptr),
#ifndef XMLTOOLING_NO_XMLSEC
m_cred(nullptr), m_trustEngine(nullptr), m_peerResolver(nullptr), m_mandatory(false),
#endif
- m_openssl_ops(SSL_OP_ALL|SSL_OP_NO_SSLv2), m_ssl_callback(nullptr), m_ssl_userptr(nullptr),
+ m_openssl_ops(SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3), m_ssl_callback(nullptr), m_ssl_userptr(nullptr),
m_chunked(true), m_authenticated(false), m_cacheTag(nullptr) {
m_handle = g_CURLPool->get(addr);
curl_easy_setopt(m_handle,CURLOPT_URL,addr.m_endpoint);
virtual ~CURLSOAPTransport() {
curl_slist_free_all(m_headers);
- curl_easy_setopt(m_handle, CURLOPT_USERAGENT, nullptr);
- curl_easy_setopt(m_handle, CURLOPT_ERRORBUFFER, nullptr);
- curl_easy_setopt(m_handle, CURLOPT_PRIVATE, m_authenticated ? "secure" : nullptr); // Save off security "state".
- g_CURLPool->put(m_sender.c_str(), m_peerName.c_str(), m_endpoint.c_str(), m_handle);
+ if (m_keepHandle) {
+ curl_easy_setopt(m_handle, CURLOPT_USERAGENT, nullptr);
+ curl_easy_setopt(m_handle, CURLOPT_ERRORBUFFER, nullptr);
+ curl_easy_setopt(m_handle, CURLOPT_PRIVATE, m_authenticated ? "secure" : nullptr); // Save off security "state".
+ g_CURLPool->put(m_sender.c_str(), m_peerName.c_str(), m_endpoint.c_str(), m_handle);
+ }
+ else {
+ curl_easy_cleanup(m_handle);
+ }
}
bool isConfidential() const {
// per-call state
string m_sender,m_peerName,m_endpoint,m_simplecreds;
CURL* m_handle;
+ bool m_keepHandle;
stringstream m_stream;
struct curl_slist* m_headers;
string m_useragent;
curl_easy_setopt(handle,CURLOPT_NOPROGRESS,1);
curl_easy_setopt(handle,CURLOPT_NOSIGNAL,1);
curl_easy_setopt(handle,CURLOPT_FAILONERROR,1);
- curl_easy_setopt(handle,CURLOPT_SSL_CIPHER_LIST,"ALL:!aNULL:!LOW:!EXPORT:!SSLv2");
+ // This may (but probably won't) help with < 7.20 bug in DNS caching.
+ curl_easy_setopt(handle,CURLOPT_DNS_CACHE_TIMEOUT,120);
+ curl_easy_setopt(handle,CURLOPT_SSL_CIPHER_LIST,"ALL:!aNULL:!LOW:!EXPORT:!RC4:!SSLv2");
// Verification of the peer is via TrustEngine only.
curl_easy_setopt(handle,CURLOPT_SSL_VERIFYPEER,0);
curl_easy_setopt(handle,CURLOPT_CAINFO,nullptr);
#ifdef _DEBUG
xmltooling::NDC ndc("send");
#endif
- Category& log=Category::getInstance(XMLTOOLING_LOGCAT".SOAPTransport.CURL");
- Category& log_curl=Category::getInstance(XMLTOOLING_LOGCAT".libcurl");
+ Category& log=Category::getInstance(XMLTOOLING_LOGCAT ".SOAPTransport.CURL");
+ Category& log_curl=Category::getInstance(XMLTOOLING_LOGCAT ".libcurl");
// For this implementation, it's sufficient to check for https as a sign of transport security.
if (m_mandatory && !isConfidential())
m_useragent = XMLToolingConfig::getConfig().user_agent;
if (!m_useragent.empty()) {
curl_version_info_data* curlver = curl_version_info(CURLVERSION_NOW);
- m_useragent += " libcurl/";
- if (curlver)
- m_useragent = m_useragent + curlver->version + ' ' + curlver->ssl_version;
- else
- m_useragent = m_useragent + LIBCURL_VERSION + ' ' + OPENSSL_VERSION_TEXT;
+
+ if (curlver) {
+ m_useragent = m_useragent + " libcurl/" + curlver->version + ' ' + curlver->ssl_version;
+ }
+
curl_easy_setopt(m_handle, CURLOPT_USERAGENT, m_useragent.c_str());
}
// Make the call.
log.debug("sending SOAP message to %s", m_endpoint.c_str());
- if (curl_easy_perform(m_handle) != CURLE_OK) {
+ CURLcode code = curl_easy_perform(m_handle);
+ if (code != CURLE_OK) {
+ if (code == CURLE_SSL_CIPHER) {
+ log.error("on Red Hat 6+, make sure libcurl used is built with OpenSSL");
+ }
throw IOException(
string("CURLSOAPTransport failed while contacting SOAP endpoint (") + m_endpoint + "): " +
(curl_errorbuf[0] ? curl_errorbuf : "no further information available"));
}
+ // This won't prevent every possible failed connection from being kept, but it's something.
+ m_keepHandle = true;
+
// Check for outgoing cache tag.
if (m_cacheTag) {
const vector<string>& tags = getResponseHeader("ETag");
#ifndef XMLTOOLING_NO_XMLSEC
int xmltooling::verify_callback(X509_STORE_CTX* x509_ctx, void* arg)
{
- Category& log=Category::getInstance(XMLTOOLING_LOGCAT".SOAPTransport.CURL");
+ Category& log=Category::getInstance(XMLTOOLING_LOGCAT ".SOAPTransport.CURL");
log.debug("invoking custom X.509 verify callback");
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
CURLSOAPTransport* ctx = reinterpret_cast<CURLSOAPTransport*>(arg);
}
if (!success) {
- log.error("supplied TrustEngine failed to validate SSL/TLS server certificate:");
+ log.error("supplied TrustEngine failed to validate SSL/TLS server certificate");
if (x509_ctx->cert) {
BIO* b = BIO_new(BIO_s_mem());
X509_print(b, x509_ctx->cert);
BIO_get_mem_ptr(b, &bptr);
if (bptr && bptr->length > 0) {
string s(bptr->data, bptr->length);
- log.error(s);
+ if (ctx->m_mandatory)
+ log.error(s);
+ else
+ log.debug(s);
}
BIO_free(b);
}
{
CURLSOAPTransport* conf = reinterpret_cast<CURLSOAPTransport*>(userptr);
- // Default flags manually disable SSLv2 so we're not dependent on libcurl to do it.
- // Also disable the ticket option where implemented, since this breaks a variety
- // of servers. Newer libcurl also does this for us.
+ // Default flags manually disable SSLv2 and SSLv3 so we're not dependent on libcurl
+ // to do it. Also disable the ticket option where implemented, since this breaks a
+ // variety of servers. Newer libcurl also does this for us.
#ifdef SSL_OP_NO_TICKET
SSL_CTX_set_options(ssl_ctx, conf->m_openssl_ops|SSL_OP_NO_TICKET);
#else
projects / shibboleth / cpp-xmltooling.git / blobdiff