cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: [PATCH]add --peer-CN-regex option to the command line tool

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 4 Jun 2003 23:43:01 +0200 (CEST)

On Wed, 4 Jun 2003, Torsten Foertsch wrote:

(This is now cc'ed to the libcurl mailing list as we've moved to talk about
libcurl changes and then I need we're better off with a libcurl audience than
with the curl tool dudes. Please take follow-ups there!)

> I accept your remark. I rather wanted to make it configurable but I have
> never worked with automake. I don't know what files to patch to do that.

No worries about that, if you provide the patch I can fiddle the necessary
automake magic to make things work out. If needed.

> As M Biswas <m.biswas_at_cleartool.com> metioned there is PCRE
> (http://www.pcre.org/). I'll change my patch to use this library. If
> someone could give me a starting point I'll make it configurable with an
> option to ./configure in the next few days.

I'm sorry I didn't express myself clear:

libcurl is a rather low-level library and I intend to keep it dependent on as
few libraries as possible (mainly only libraries that provide features for
the transport protocols that makes better sense than to rewrite them
ourselves). I do not think regexes of ANY kind are necessary for libcurl's
operations and I will not accept code that use such libraries into the main
libcurl source tree.

> > I would guess that a much simpler approach would suffice for most people,
> > using good old and much simpler DOS-style wildcards. Don't you agree?
>
> I don't like DOS-style wildcards. The problem where I started thinking
> about that patch was a script that receives one of a few hosts to connect
> to from the user either by name or by IP address. These hosts have
> certificates with a Common Name that matches ^wsr[1-5]\.company\.tld$. With
> DOS-style wildcards I can say *.company.tld or wsr*.company.tld that match
> much more hosts. The regex matches exactly the allowed hosts.

Then I'd suggest one of these alternative approaches:

A) We add (yet another) callback to libcurl that allows the application to
   provide the name check. Possibly, the callback function for certificate
   verification that is in the works by Peter Sylvester could also do that.
   Any details on this Peter?

   When this is made, we could make the curl tool support whatever regex
   library we think is fit. I still think it is overkill.

B) We offer a list of host names to the libraary, where one of the given
   names may match.

-- 
 Daniel Stenberg -- curl: been grokking URLs since 1998
-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
Received on 2003-06-04