tls: add new SSLSUPP flags for several options

So that curl_easy_setopt() correctly returns error for those not supported by the backend. Closes #20364
2026-04-15 01:01:41 +03:00 · 2026-01-20 00:03:00 +01:00 · 2026-01-20 00:03:00 +01:00 · d7bbc78360
commit d7bbc78360
parent a87f346189
7 changed files with 33 additions and 9 deletions
--- a/lib/setopt.c
+++ b/lib/setopt.c
@ -1867,7 +1867,9 @@ static CURLcode setopt_cptr(struct Curl_easy *data, CURLoption option,
     * Set CRL file info for SSL connection. Specify filename of the CRL
     * to check certificates revocation
     */
-    return Curl_setstropt(&s->str[STRING_SSL_CRLFILE], ptr);
+    if(Curl_ssl_supports(data, SSLSUPP_CRLFILE))
+      return Curl_setstropt(&s->str[STRING_SSL_CRLFILE], ptr);
+    return CURLE_NOT_BUILT_IN;
  case CURLOPT_SSL_CIPHER_LIST:
    if(Curl_ssl_supports(data, SSLSUPP_CIPHER_LIST))
      /* set a list of cipher we want to use in the SSL connection */
@ -2265,7 +2267,9 @@ static CURLcode setopt_cptr(struct Curl_easy *data, CURLoption option,
     * Set Issuer certificate file
     * to check certificates issuer
     */
-    return Curl_setstropt(&s->str[STRING_SSL_ISSUERCERT], ptr);
+    if(Curl_ssl_supports(data, SSLSUPP_ISSUERCERT))
+      return Curl_setstropt(&s->str[STRING_SSL_ISSUERCERT], ptr);
+    return CURLE_NOT_BUILT_IN;
  case CURLOPT_PRIVATE:
    /*
     * Set private data pointer.
@ -2278,7 +2282,9 @@ static CURLcode setopt_cptr(struct Curl_easy *data, CURLoption option,
     * Set accepted curves in SSL connection setup.
     * Specify colon-delimited list of curve algorithm names.
     */
-    return Curl_setstropt(&s->str[STRING_SSL_EC_CURVES], ptr);
+    if(Curl_ssl_supports(data, SSLSUPP_SSL_EC_CURVES))
+      return Curl_setstropt(&s->str[STRING_SSL_EC_CURVES], ptr);
+    return CURLE_NOT_BUILT_IN;
  case CURLOPT_SSL_SIGNATURE_ALGORITHMS:
    /*
     * Set accepted signature algorithms.
@ -2885,7 +2891,9 @@ static CURLcode setopt_blob(struct Curl_easy *data, CURLoption option,
    /*
     * Blob that holds Issuer certificate to check certificates issuer
     */
-    return Curl_setblobopt(&s->blobs[BLOB_SSL_ISSUERCERT], blob);
+    if(Curl_ssl_supports(data, SSLSUPP_ISSUERCERT_BLOB))
+      return Curl_setblobopt(&s->blobs[BLOB_SSL_ISSUERCERT], blob);
+    return CURLE_NOT_BUILT_IN;

  default:
    return CURLE_UNKNOWN_OPTION;
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@ -2296,7 +2296,9 @@ const struct Curl_ssl Curl_ssl_gnutls = {
  SSLSUPP_HTTPS_PROXY |
  SSLSUPP_CAINFO_BLOB |
  SSLSUPP_CIPHER_LIST |
-  SSLSUPP_CA_CACHE,
+  SSLSUPP_CA_CACHE |
+  SSLSUPP_ISSUERCERT |
+  SSLSUPP_CRLFILE,

  sizeof(struct gtls_ssl_backend_data),

--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@ -1526,7 +1526,11 @@ const struct Curl_ssl Curl_ssl_mbedtls = {
  SSLSUPP_TLS13_CIPHERSUITES |
 #endif
  SSLSUPP_HTTPS_PROXY |
-  SSLSUPP_CIPHER_LIST,
+  SSLSUPP_CIPHER_LIST |
+#ifdef MBEDTLS_X509_CRL_PARSE_C
+  SSLSUPP_CRLFILE |
+#endif
+  0,

  sizeof(struct mbed_ssl_backend_data),

--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@ -5415,7 +5415,11 @@ const struct Curl_ssl Curl_ssl_openssl = {
 #endif
  SSLSUPP_CA_CACHE |
  SSLSUPP_HTTPS_PROXY |
-  SSLSUPP_CIPHER_LIST,
+  SSLSUPP_CIPHER_LIST |
+  SSLSUPP_ISSUERCERT |
+  SSLSUPP_ISSUERCERT_BLOB |
+  SSLSUPP_SSL_EC_CURVES |
+  SSLSUPP_CRLFILE,

  sizeof(struct ossl_ctx),

--- a/lib/vtls/rustls.c
+++ b/lib/vtls/rustls.c
@ -1399,7 +1399,8 @@ const struct Curl_ssl Curl_ssl_rustls = {
  SSLSUPP_CIPHER_LIST |
  SSLSUPP_TLS13_CIPHERSUITES |
  SSLSUPP_CERTINFO |
-  SSLSUPP_ECH,
+  SSLSUPP_ECH |
+  SSLSUPP_CRLFILE,
  sizeof(struct rustls_ssl_backend_data),

  NULL,                            /* init */
--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
@ -43,6 +43,10 @@ struct dynbuf;
 #define SSLSUPP_CA_CACHE     (1 << 8)
 #define SSLSUPP_CIPHER_LIST  (1 << 9) /* supports TLS 1.0-1.2 ciphersuites */
 #define SSLSUPP_SIGNATURE_ALGORITHMS (1 << 10) /* supports TLS sigalgs */
+#define SSLSUPP_ISSUERCERT   (1 << 11) /* supports CURLOPT_ISSUERCERT */
+#define SSLSUPP_SSL_EC_CURVES (1 << 12) /* supports CURLOPT_SSL_EC_CURVES */
+#define SSLSUPP_CRLFILE      (1 << 13) /* supports CURLOPT_CRLFILE */
+#define SSLSUPP_ISSUERCERT_BLOB (1 << 14) /* CURLOPT_ISSUERCERT_BLOB */

 #ifdef USE_ECH
 # include "../curlx/base64.h"
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@ -2283,7 +2283,8 @@ const struct Curl_ssl Curl_ssl_wolfssl = {
  SSLSUPP_TLS13_CIPHERSUITES |
 #endif
  SSLSUPP_CA_CACHE |
-  SSLSUPP_CIPHER_LIST,
+  SSLSUPP_CIPHER_LIST |
+  SSLSUPP_SSL_EC_CURVES,

  sizeof(struct wssl_ctx),