cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: Web service over SSL

From: Rathi, Dinesh <drathi_at_informatica.com>
Date: Mon, 27 Feb 2006 13:46:32 +0530

Please see below

-----Original Message-----
From: curl-library-bounces_at_cool.haxx.se
[mailto:curl-library-bounces_at_cool.haxx.se] On Behalf Of Gonzalo Diethelm
Sent: Monday, February 27, 2006 10:38 AM
To: libcurl development
Subject: Web service over SSL

Hello all,

I'm using curl for a project that involves using SSL to connect to a
server, send a request and retrieve an answer. I have the following
four, probably very simple, questions:

1. The server will have a certificate signed by my own CA. The client
will have whatever piece of the CA data is necessary to validate that
the server is the correct one. If the SSL validation goes Ok, I expect
the client to be able to communicate to the server. But if the SSL
validation is not Ok, say because someone is trying to impersonate my
server, exactly where in the curl library would I get something
equivalent to "invalid server certificate"? What call would exactly
fail, and how would I realize in my code that things failed because of a
bad certificate validation?

[Dinesh] I think the call to make the http request (curl_easy_perform or
equivalent will fail). There might be some callbacks in between to hook
but I am not sure.

2. The client has to send certain structured data to the server, and get
a response in the shape of more structured data; it is, in fact, a web
service where, instead of using XML files, we use a proprietary format.
What is the correct way of sending this type of information from the
client to the server? I'm thinking of sendind the data as a file upload
(mime type application/x-www-form-urlencoded); any hints or suggestions?

[Dinesh] You can send the data as POST body as well.

3. Same question for the response: what is the correct way of sending
this kind of data back from the server to the client? Right now I just
use a <pre></pre> section within an otherwise empty HTML response (makes
things easier to debug), but I'm wondering if there is a better way.

[Dinesh] Yes, http response should be fine to use.

4. I would really like to be able to "lock down" the server. By this I
mean it would be great to have a server that's a binary executable, with
no configuration files and no way to, for example, examine any traffic
logs or other conditions. This is because sometimes I will deploy this
server in hostile environments, and I really don't want customers
snooping around or, even worse, modifying the server configuration. In
other words, I need an embedded HTTP server (or a library that
implements an HTTP server) where I can add my own code. It is
imperative that such a thing supports SSL (directly or via OpenSSL).
Anybody can recommend something close to this, hopefully open source?

Thanks in advance for any hints. Best regards to everyone.

-- 
Gonzalo Diethelm
gonzalo.diethelm_at_aditiva.com
Received on 2006-02-27