curl: warn on unsupported SSL options

Closes #14406

src/tool_operate.c

@@ -951,6 +951,7 @@ static CURLcode single_transfer(struct GlobalConfig *global,
         urlnum = state->urlnum;
 
       if(state->up < state->infilenum) {
+        char ssl_ver[80] = "no ssl";
         struct per_transfer *per = NULL;
         struct OutStruct *outs;
         struct OutStruct *heads;
@@ -1660,6 +1661,14 @@ static CURLcode single_transfer(struct GlobalConfig *global,
             my_setopt(curl, CURLOPT_SSH_COMPRESSION, 1L);
         }
 
+        {
+          /* get current SSL backend, chop off multissl */
+          const char *v = curl_version_info(CURLVERSION_NOW)->ssl_version;
+          if(v)
+            msnprintf(ssl_ver, sizeof(ssl_ver),
+                      "%.*s", (int) strcspn(v, " "), v);
+        }
+
         if(config->cacert)
           my_setopt_str(curl, CURLOPT_CAINFO, config->cacert);
         if(config->proxy_cacert)
@@ -1668,9 +1677,10 @@ static CURLcode single_transfer(struct GlobalConfig *global,
         if(config->capath) {
           result = res_setopt_str(curl, CURLOPT_CAPATH, config->capath);
           if(result == CURLE_NOT_BUILT_IN) {
-            warnf(global, "ignoring %s, not supported by libcurl",
+            warnf(global, "ignoring %s, not supported by libcurl with %s",
-                  capath_from_env?
+                  capath_from_env ?
-                  "SSL_CERT_DIR environment variable":"--capath");
+                  "SSL_CERT_DIR environment variable" : "--capath",
+                  ssl_ver);
           }
           else if(result)
             break;
@@ -1685,8 +1695,10 @@ static CURLcode single_transfer(struct GlobalConfig *global,
           if((result == CURLE_NOT_BUILT_IN) ||
              (result == CURLE_UNKNOWN_OPTION)) {
             if(config->proxy_capath) {
-              warnf(global,
+              warnf(global, "ignoring %s, not supported by libcurl with %s",
-                    "ignoring --proxy-capath, not supported by libcurl");
+                    config->proxy_capath ?
+                    "--proxy-capath" : "--capath",
+                    ssl_ver);
             }
           }
           else if(result)
@@ -1704,8 +1716,8 @@ static CURLcode single_transfer(struct GlobalConfig *global,
                 blob.len);
           result = curl_easy_setopt(curl, CURLOPT_CAINFO_BLOB, &blob);
           if(result == CURLE_NOT_BUILT_IN) {
-            warnf(global,
+            warnf(global, "ignoring %s, not supported by libcurl with %s",
-                  "ignoring embedded CA bundle, not supported by libcurl");
+                  "embedded CA bundle", ssl_ver);
           }
         }
         if(!config->proxy_cacert && !config->proxy_capath) {
@@ -1718,8 +1730,8 @@ static CURLcode single_transfer(struct GlobalConfig *global,
                 blob.len);
           result = curl_easy_setopt(curl, CURLOPT_PROXY_CAINFO_BLOB, &blob);
           if(result == CURLE_NOT_BUILT_IN) {
-            warnf(global,
+            warnf(global, "ignoring %s, not supported by libcurl with %s",
-                  "ignoring embedded CA bundle, not supported by libcurl");
+                  "embedded CA bundle", ssl_ver);
           }
         }
 #endif
@@ -1731,8 +1743,13 @@ static CURLcode single_transfer(struct GlobalConfig *global,
         else if(config->crlfile) /* CURLOPT_PROXY_CRLFILE default is crlfile */
           my_setopt_str(curl, CURLOPT_PROXY_CRLFILE, config->crlfile);
 
-        if(config->pinnedpubkey)
+        if(config->pinnedpubkey) {
-          my_setopt_str(curl, CURLOPT_PINNEDPUBLICKEY, config->pinnedpubkey);
+          result = res_setopt_str(curl, CURLOPT_PINNEDPUBLICKEY,
+                                  config->pinnedpubkey);
+          if(result == CURLE_NOT_BUILT_IN)
+            warnf(global, "ignoring %s, not supported by libcurl with %s",
+                  "--pinnedpubkey", ssl_ver);
+        }
 
         if(config->ssl_ec_curves)
           my_setopt_str(curl, CURLOPT_SSL_EC_CURVES, config->ssl_ec_curves);
@@ -2049,19 +2066,34 @@ static CURLcode single_transfer(struct GlobalConfig *global,
         if(config->doh_url)
           my_setopt_str(curl, CURLOPT_DOH_URL, config->doh_url);
 
-        if(config->cipher_list)
+        if(config->cipher_list) {
-          my_setopt_str(curl, CURLOPT_SSL_CIPHER_LIST, config->cipher_list);
+          result = res_setopt_str(curl, CURLOPT_SSL_CIPHER_LIST,
-
+                                  config->cipher_list);
-        if(config->proxy_cipher_list)
+          if(result == CURLE_NOT_BUILT_IN)
-          my_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST,
+            warnf(global, "ignoring %s, not supported by libcurl with %s",
+                  "--ciphers", ssl_ver);
+        }
+        if(config->proxy_cipher_list) {
+          result = res_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST,
                                   config->proxy_cipher_list);
-
+          if(result == CURLE_NOT_BUILT_IN)
-        if(config->cipher13_list)
+            warnf(global, "ignoring %s, not supported by libcurl with %s",
-          my_setopt_str(curl, CURLOPT_TLS13_CIPHERS, config->cipher13_list);
+                  "--proxy-ciphers", ssl_ver);
-
+        }
-        if(config->proxy_cipher13_list)
+        if(config->cipher13_list) {
-          my_setopt_str(curl, CURLOPT_PROXY_TLS13_CIPHERS,
+          result = res_setopt_str(curl, CURLOPT_TLS13_CIPHERS,
+                                  config->cipher13_list);
+          if(result == CURLE_NOT_BUILT_IN)
+            warnf(global, "ignoring %s, not supported by libcurl with %s",
+                  "--tls13-ciphers", ssl_ver);
+        }
+        if(config->proxy_cipher13_list) {
+          result = res_setopt_str(curl, CURLOPT_PROXY_TLS13_CIPHERS,
                                   config->proxy_cipher13_list);
+          if(result == CURLE_NOT_BUILT_IN)
+            warnf(global, "ignoring %s, not supported by libcurl with %s",
+                  "--proxy-tls13-ciphers", ssl_ver);
+        }
 
         /* new in libcurl 7.9.2: */
         if(config->disable_epsv)