cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Using an existing OpenSSL connection for libcurl HTTPS requests?

From: Peter Sylvester <peter.sylvester_at_edelweb.fr>
Date: Mon, 22 Mar 2010 18:03:40 +0100

>
> However, the legacy code does some fairly involved wrangling during
> the OpenSSL connection/initialisation phase (don't ask...), and we
> need to continue doing that. Picking it to pieces and trying to
> squeeze it into a CURLOPT_SSL_CTX_FUNCTION callback looks tricky and
> error prone, and we're not even sure it'll work.The function is
>

An application typyically initializes the global SSL
algorithms etc, then you create an SSL_CTX, if you
do not use any of the curl parameters for SSL
except the call back, that's the environment you
get when the callback is called. Yes, if you application
uses a lot of variables on the stack, you need to
put into a structure and pass an appropriate
pointer to the call back.

In the callback you just do exactly what your application
does between the SSL_CTX creation and the creation
of the SSL object.

Since you are able to use curl in the non-ssl environment,
you are happy with what it does to connect to the
partner?

> Is there a way to hand over a fully initialised, connected and
> ready-to-use OpenSSL context to libcurl and let it skip the host
> resolution, connection and initialisation phases entirely? If there
> isn't such a mechanism by design (we couldn't find one in the docs or
> by cursory examination of the code, but who knows), would it be
> straightforward to add something like this ourselves, and do you have
> any hints on how we might go about it?
>
- you might want to share the list of access function that
you call in your code to do things in the SSL_CTX.

- look where things are done in curl's ssluse.c

- There is an example (curlx.c) that does a pretty
complicated thing:

- use a pkcs12, take a client key/cert
- use another CA as a trust anchor
- change the curl URL to something that
after receiving the server cert (the real reason
for the call back).

- There may be something in your code that is done
AFTER establishing the connection and before
sending the actual POST based on some information
in the established connection. Most likely this
can be put into a certificate validation callback.

> Many thanks,
>
Have fun
Peter Sylvester
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2010-03-22

This message: [ Message body ]
Next message: O'Loughlin, Anthony (H USA): "SFTP CURLOPT_POSTQUOTE rm command not working"
Previous message: Michael Wood: "Re: the git repo"
In reply to: Phil Jordan: "Using an existing OpenSSL connection for libcurl HTTPS requests?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]