From d34b152a7d209f707e849f25e602fcec2b8e59d8 Mon Sep 17 00:00:00 2001
From: Stefan Karpinski <stefan@karpinski.org>
Date: Wed, 21 Apr 2021 10:33:07 -0400
Subject: [PATCH] set TLS option CURLSSLOPT_REVOKE_BEST_EFFORT

The Windows native TLS backend (Schannel) makes synchronous certificate
revocation checks against a CRL server. For users behind a firewall,
this server may be unreachable, causing the TLS connection to fail. The
CURLSSLOPT_REVOKE_BEST_EFFORT option addresses precisely this situation,
configuring Schannel to make a best effort revocation check but allowing
the connection if the CRL server cannot be reached, as long as the
certificate isn't already known to be revoked. This behavior matches the
default revocation checking behavior on macOS (asynchronous best effort)
and is strictly more secure than Linux where no CRL checking is done.

Since the typical advice in such situations is to disable TLS host
verification entirely, this is an improvement in that with this option,
so long as the client's system CA roots are configured correctly, host
verification will work and at least local MITM attacks are prevented.
---
 src/Curl/Curl.jl | 4 ++++
 src/Curl/Easy.jl | 1 +
 test/runtests.jl | 5 +----
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/Curl/Curl.jl b/src/Curl/Curl.jl
index 3d86b61..e4f5171 100644
--- a/src/Curl/Curl.jl
+++ b/src/Curl/Curl.jl
@@ -29,6 +29,10 @@ using LibCURL
 using LibCURL: curl_off_t
 # not exported: https://github.com/JuliaWeb/LibCURL.jl/issues/87
 
+# constants that LibCURL should have but doesn't
+const CURLE_PEER_FAILED_VERIFICATION = 60
+const CURLSSLOPT_REVOKE_BEST_EFFORT = 1 << 3
+
 using NetworkOptions
 using Base: preserve_handle, unpreserve_handle
 
diff --git a/src/Curl/Easy.jl b/src/Curl/Easy.jl
index c143fdd..88a867c 100644
--- a/src/Curl/Easy.jl
+++ b/src/Curl/Easy.jl
@@ -51,6 +51,7 @@ function set_defaults(easy::Easy)
     setopt(easy, CURLOPT_USERAGENT, USER_AGENT)
     setopt(easy, CURLOPT_NETRC, CURL_NETRC_OPTIONAL)
     setopt(easy, CURLOPT_COOKIEFILE, "")
+    setopt(easy, CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT)
 
     # ssh-related options
     setopt(easy, CURLOPT_SSH_PRIVATE_KEYFILE, ssh_key_path())
diff --git a/test/runtests.jl b/test/runtests.jl
index e52892b..fd4bb20 100644
--- a/test/runtests.jl
+++ b/test/runtests.jl
@@ -414,10 +414,7 @@ include("setup.jl")
         @testset "bad TLS is rejected" for url in urls
             resp = request(url, throw=false)
             @test resp isa RequestError
-            # FIXME: we should use Curl.CURLE_PEER_FAILED_VERIFICATION
-            # but LibCURL has gotten out of sync with curl and some
-            # of the constants are no longer correct; this is one
-            @test resp.code == 60
+            @test resp.code == Curl.CURLE_PEER_FAILED_VERIFICATION
         end
         @testset "easy hook work-around" begin
             local url