cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Custom OpenSSL crypto engine not known to cURL

From: Petr Pisar <petr.pisar_at_atlas.cz>
Date: Wed, 10 Mar 2010 12:38:19 +0100

On Wed, Mar 10, 2010 at 10:57:33AM +0100, Daniel Stenberg wrote:
> On Tue, 9 Mar 2010, Petr Pisar wrote:
>
> I'm cc'ing my response to curl-library since we're discussing modifying the
> lib. I do think we should move this discussion over to that list.
>
Ok. Subscribed.

> > I inspired by openssl(1) initicialization and adjusted curl library.
> >
> > Now I'm able to list dynamic engines defined in config file:
>
> > Well, user can use OPENSSL_CONF environment variable or to use default
> > openssl.cnf file from default OpenSSL directory.
>
> Thanks! It certainly seems like a decent approach to add. I miss the
> documentation part of the patch (at least a rudimental description of how it
> is to be used)

As I wrote if user defines OPENSSL_CONF environment variable, the variable
value is used as OpenSSL configuration file. Otherwise `openssl.cnf' file from
OpenSSL installation directory will be used. OpenSSL tools (openssl(1)) use
this approach.

If you meant to document this behaviour in user documentation files, you must
point me where exactly (manual pages curl(1), curl(3); README, INTERNALS,
MANUAL file?), or do it yourself. I'm sorry, I'm new to libcurl and I don't
know the best place.

> library behaviors, but in this case since it wants to change how the global
> init is done, I can't see a lot of good alternatives.
>
OPENSSL_CONF is the same hack as SSL_DIR for NSS crypto backend. When
I wrote my application, I thought CURLOPT_CAPATH should carry NSS database
path instead of setting SSL_DIR. It's little confusing.

> > + prefix = X509_get_default_cert_area();
>
> And this call is safe and known to never fail?
>

I have much better patch. OpenSSL exports CONF_modules_load_file(filename, ...)
that loads filename config file or default one if filename==NULL. Following
patch provides equivalent functionality :)

BTW, second argument of CONF_modules_load_file() selects configuration profile
from the file. Users would like to pass it either. We could define other
environment variable.

-- Petr

--- curl-7.20.0/lib/ssluse.c 2010-02-09 09:43:16.000000000 +0100
+++ curl-7.20.0-devel/lib/ssluse.c 2010-03-10 12:20:29.000000000 +0100
@@ -679,6 +679,11 @@
   /* Lets get nice error messages */
   SSL_load_error_strings();
 
+ /* Load config file */
+ OPENSSL_load_builtin_modules();
+ if (CONF_modules_load_file(getenv("OPENSSL_CONF"), NULL, 0) <= 0)
+ return 0;
+
   /* Init the global ciphers and digests */
   if(!SSLeay_add_ssl_algorithms())
     return 0;

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html

  • application/pgp-signature attachment: stored
Received on 2010-03-10