cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: ssl certificates again

From: Philippe Raoult <phir_at_gcu-squad.org>
Date: Tue, 25 Mar 2003 08:42:50 +0100

On Mon, 24 Mar 2003 23:42:05 +0100 (CET)
Daniel Stenberg <daniel_at_haxx.se> wrote:

> (I'm sorry this has taken me a while!)

it's ok ive been busy doing other things too :)

> > > caveats:
> >
> > another one :
> > * now i seem to get those : cURL error : SSL:
> > error:00000001:lib(0):func(0):reason(1).
>
> > It looks like it is related to the VERIFYPEER option.
>
> Yes, I see reason 1 returned from OpenSSL at times when the ca cert
> doesn't properly verify the peer.

> > I cant figure out what the code is trying to do, but the callback curl
> > uses for checking the peer doesnt seem to do anything, i dont know if
> > it's really useful. If anyone can enlighten me on this ...
>
> Are you saying that your patch makes this error more likely to occur or
> just that you saw this even with your patch applied?

well with my code it's not properly transformed into a curl error ("could
not verify peer certificate"). I'm not sure about how it should be done or
how the new option should interact with the others.

> A few remarks on your patch:
>
> We can't depend on the HAVE_XXX or USE_SSLEAY defines in the curl/curl.h
> header, since that is a public header and we can't expect other
> applications to set those defines in the same manner as (lib)curl does.

yes this was the fastest hack i could figure. I guess ill have to make the
callback take a void * argument instead of a X509* ? this way it can be
defined without [optionaly] including ssl stuff. If you have a better
idea...

> Also, all other options that set callbacks have a corresponding option
> that sets the user data pointer. As in READFUNCTION/READDATA,
> WRITEFUNCTION/WRITEDATA so I guess it would make the best sense if
> CERTFUNCTION had a CERTDATA that set the user pointer passed in to the
> callback...
it makes sense yeah. I wanted to avoid adding unnecessary options but if
there's no other way ill do it.

> I was also missing the man page section describing how the new option
> works and is supposed to be used by applications. I would LOVE a source
> code example showing this...

ill do that when the option's behavior is decided. At the moment im not
sure as to how it should interract with VERIFY_PEER ? should it overwrite
it completely or should it just replace curl's own verify function.

regards,

Philippe

-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
Received on 2003-03-25

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: CPU TIME"
Previous message: Philippe Raoult: "Re: curl segfault"
In reply to: Daniel Stenberg: "Re: ssl certificates again"
Next in thread: G�tz Babin-Ebell: "Re: ssl certificates again"
Reply: G�tz Babin-Ebell: "Re: ssl certificates again"
Reply: Daniel Stenberg: "Re: ssl certificates again"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]