cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: 1. FTP cmd channel and data channel validation, 2. Cert chain for data channel

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 15 Sep 2010 00:07:38 +0200 (CEST)

On Tue, 14 Sep 2010, Mehmet Bozkurt wrote:

> 1. Does libcurl perform any sort of check internally that, in case of FTP,
> the command channel server ip-address and data channel server ip-address are
> the same? E.g. to prevent someone else connecting on the data channel socket
> when in Active mode.

No. See the lib/ftp.c:AllowServerConnect() for the details.

> If not, is it possible to perform this check in a client application,
> perhaps through the means of CURLINFO_PRIMARY_IP?

I don't see how. CURLINFO_PRIMARY_IP is the primary IP, which means the
control channel connection for FTP...

I can't think of any particular way an application can do this additional
check with libcurl. We should probably work on either making it possible for
the app, or provide an option to do the check within libcurl itself.

You up to work on this?

> 2. Does CURLINFO_CERTINFO provide information about the certificate chain
> for the 'last' successfully established SSL connection.

Yes.

> Or is the certificate information stored once and remains the same for all
> following SSL transfers?

No.

> What I want to achieve is the possibility to retrieve the cert chain for
> both command and data channels.

The current implementation doesn't really allow this but it should be fairly
easy to just allow it to keep two instances around...

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2010-09-15