cURL / Mailing Lists / curl-library / Single Mail


SSL patch

From: Gisle Vanem <>
Date: Tue, 15 Jun 2004 18:06:28 +0200

I asked about Common Names regarding IDNA:

and got some conflicting answers, but I think libcurl does the right
thing by comparing 'peer'_CN' against 'conn->'. Not sure
about the ASN1_STRING_to_UTF8() wrt. IDNA. Until I find an ACE-host
with a certificate, I'll leave it.

I have some other patches:

* Tracing of SSL/TLS handshake is handy with "curl --trace". Found
some problems with some https sites this way.

* Print the details of the CERT-problem from OpenSSL; "certificate expired"
or similar.

* If SSL_connect() fails and ERR_get_error() is 0, the problem is with the
socket-state itself. But OpenSSL seems to clear the errno so using SO_ERROR
isn't any help. This can happen e.g. if we request a SSLv2 method and the
host doesn't like us, it simply resets the connection. Verify with
curl --sslv2

So printing "Unknown SSL protocol error in connection to .." is better than
is now.


Received on 2004-06-15