Mercurial > hg > orthanc

changeset 5945:089b8e5158d1

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
empty HttpsCACertificates is now equivalent to --ca-native curl option
author Alain Mazy <am@orthanc.team>
date Mon, 06 Jan 2025 13:17:08 +0100
parents cc6027cbd8f1
children b7524b8d3061
files NEWS OrthancFramework/Sources/HttpClient.cpp OrthancServer/Resources/Configuration.json OrthancServer/Sources/main.cpp
diffstat 4 files changed, 34 insertions(+), 10 deletions(-) [+]
line wrap: on
line diff
--- a/NEWS	Thu Dec 26 13:18:12 2024 +0100
+++ b/NEWS	Mon Jan 06 13:17:08 2025 +0100
@@ -1,6 +1,13 @@
 Pending changes in the mainline
 ===============================
 
+Maintenance
+-----------
+
+* When the "HttpsCACertificates" configuration is empty.  Orthanc will now use the
+  operating system native CA store (if any).  This is equivalent to the --ca-native
+  curl option.
+
 
 Version 1.12.5 (2024-12-17)
 ===========================
--- a/OrthancFramework/Sources/HttpClient.cpp	Thu Dec 26 13:18:12 2024 +0100
+++ b/OrthancFramework/Sources/HttpClient.cpp	Mon Jan 06 13:17:08 2025 +0100
@@ -860,7 +860,15 @@
 
     if (verifyPeers_)
     {
-      CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_CAINFO, caCertificates_.c_str()));
+      if (caCertificates_.empty())  // use native CA store (equivalent to --ca-native)
+      {
+        CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NATIVE_CA));
+      }
+      else // use provided CA file (equivalent to --cacert)
+      {
+        CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_CAINFO, caCertificates_.c_str()));
+      }
+      
       CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_SSL_VERIFYHOST, 2));  // libcurl default is strict verifyhost
       CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_SSL_VERIFYPEER, 1)); 
     }
@@ -1187,8 +1195,8 @@
     {
       if (httpsVerifyCertificates.empty())
       {
-        LOG(WARNING) << "No certificates are provided to validate peers, "
-                     << "set \"HttpsCACertificates\" if you need to do HTTPS requests";
+        LOG(WARNING) << "No certificates are provided to validate peers.  Orthanc will use the native CA store. "
+                     << "Set \"HttpsCACertificates\" if you need to do HTTPS requests and use custom CAs.";
       }
       else
       {
--- a/OrthancServer/Resources/Configuration.json	Thu Dec 26 13:18:12 2024 +0100
+++ b/OrthancServer/Resources/Configuration.json	Mon Jan 06 13:17:08 2025 +0100
@@ -572,10 +572,10 @@
   // Set the timeout for HTTP requests issued by Orthanc (in seconds).
   "HttpTimeout" : 60,
 
-  // Enable the verification of the peers during HTTPS requests. This
-  // option must be set to "false" if using self-signed certificates.
-  // Pay attention that setting this option to "false" results in
-  // security risks!
+  // Enable the verification of the peers certificates during HTTPS 
+  // requests. Setting this option to false is equivalent to the 
+  // "--insecure" curl option. Pay attention that setting this option 
+  // to "false" results in security risks!
   // Reference: http://curl.haxx.se/docs/sslcerts.html
   "HttpsVerifyPeers" : true,
 
@@ -585,7 +585,10 @@
   // verify the peers. The file may contain multiple CA
   // certificates. The certificate(s) must be in PEM format." On
   // Debian-based systems, this option can be set to
-  // "/etc/ssl/certs/ca-certificates.crt"
+  // "/etc/ssl/certs/ca-certificates.crt".
+  // Starting with Orthanc 1.12.6, when this option is empty,
+  // Orthanc uses the operating system native CA store ("--ca-native"
+  // option)
   "HttpsCACertificates" : "",
 
 
--- a/OrthancServer/Sources/main.cpp	Thu Dec 26 13:18:12 2024 +0100
+++ b/OrthancServer/Sources/main.cpp	Mon Jan 06 13:17:08 2025 +0100
@@ -1526,9 +1526,15 @@
     // These configuration options must be set before creating the
     // ServerContext, otherwise the possible Lua scripts will not be
     // able to properly issue HTTP/HTTPS queries
+
+    std::string httpsCaCertificates = lock.GetConfiguration().GetStringParameter("HttpsCACertificates", "");
+    if (!httpsCaCertificates.empty())
+    {
+      httpsCaCertificates = lock.GetConfiguration().InterpretStringParameterAsPath(httpsCaCertificates);
+    }
+
     HttpClient::ConfigureSsl(lock.GetConfiguration().GetBooleanParameter("HttpsVerifyPeers", true),
-                             lock.GetConfiguration().InterpretStringParameterAsPath
-                             (lock.GetConfiguration().GetStringParameter("HttpsCACertificates", "")));
+                             httpsCaCertificates);
     HttpClient::SetDefaultVerbose(lock.GetConfiguration().GetBooleanParameter("HttpVerbose", false));
 
     // The value "0" below makes the class HttpClient use its default