curl: Add an option to select the SSL/TLS backend (if available)

If libcurl is built with MultiSSL support (not the case for e.g. Debian/Ubuntu, which ship separate, conflicting libraries), this allows selecting the SSL/TLS backend libcurl uses.
2025-10-03 00:00:24 -04:00 · 2023-01-13 17:17:06 +01:00 · 2023-01-13 17:17:06 +01:00 · 805cc3a69f
commit 805cc3a69f
parent d11868fb38
2 changed files with 67 additions and 0 deletions
--- a/conf/plugins/curl.opt
+++ b/conf/plugins/curl.opt
@ -1,3 +1,11 @@
 charon.plugins.curl.redir = -1
 	Maximum number of redirects followed by the plugin, set to 0 to disable
 	following redirects, set to -1 for no limit.
+
+charon.plugins.curl.tls_backend =
+	The SSL/TLS backend to configure in curl if multiple are available.
+
+	The SSL/TLS backend to configure in curl if multiple are available (requires
+	libcurl 7.56 or newer). A list of available options is logged on level 2 if
+	nothing is configured. Similar but on level 1 if the selected backend isn't
+	available.
--- a/src/libstrongswan/plugins/curl/curl_plugin.c
+++ b/src/libstrongswan/plugins/curl/curl_plugin.c
@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2023 Tobias Brunner
 * Copyright (C) 2008 Martin Willi
 *
 * Copyright (C) secunet Security Networks AG
@ -152,6 +153,60 @@ METHOD(plugin_t, destroy, void,
 	free(this);
 }

+#if LIBCURL_VERSION_NUM >= 0x073800
+/**
+ * Configure a specific SSL backend if multiple are available
+ */
+static void set_ssl_backend()
+{
+	const curl_ssl_backend **avail;
+	char *backend, buf[BUF_LEN] = "";
+	int i, len = 0, added;
+
+	backend = lib->settings->get_str(lib->settings, "%s.plugins.curl.tls_backend",
+									 NULL, lib->ns);
+	switch (curl_global_sslset(-1, backend, &avail))
+	{
+		case CURLSSLSET_UNKNOWN_BACKEND:
+			for (i = 0; avail[i]; i++)
+			{
+				added = snprintf(buf + len, sizeof(buf) - len, " %s",
+								 avail[i]->name);
+				if (added < sizeof(buf) - len)
+				{
+					len += added;
+				}
+			}
+			if (backend)
+			{
+				DBG1(DBG_LIB, "unsupported TLS backend '%s' in libcurl, "
+					 "available:%s", backend, buf);
+			}
+			else
+			{
+				DBG2(DBG_LIB, "available TLS backends in libcurl:%s", buf);
+			}
+			break;
+		case CURLSSLSET_NO_BACKENDS:
+			if (backend)
+			{
+				DBG1(DBG_LIB, "unable to set TLS backend '%s', libcurl was "
+					 "built without TLS support", backend);
+			}
+			break;
+		case CURLSSLSET_TOO_LATE:
+			if (backend)
+			{
+				DBG1(DBG_LIB, "unable to set TLS backend '%s' in libcurl, "
+					 "already set", backend);
+			}
+			break;
+		case CURLSSLSET_OK:
+			break;
+	}
+}
+#endif
+
 /*
 * see header file
 */
@ -170,6 +225,10 @@ plugin_t *curl_plugin_create()
 		},
 	);

+#if LIBCURL_VERSION_NUM >= 0x073800
+	set_ssl_backend();
+#endif
+
 	res = curl_global_init(CURL_GLOBAL_SSL);
 	if (res != CURLE_OK)
 	{