cURL / Mailing Lists / curl-library / Single Mail

curl-library

SV: 1. FTP cmd channel and data channel validation, 2. Cert chain for data channel

From: Mehmet Bozkurt <mehmet.bozkurt_at_xware.se>
Date: Wed, 15 Sep 2010 09:30:45 +0200

> > 1. Does libcurl perform any sort of check internally that, in case of
> FTP,
> > the command channel server ip-address and data channel server ip-
> address are
> > the same? E.g. to prevent someone else connecting on the data channel
> socket
> > when in Active mode.
>
> No. See the lib/ftp.c:AllowServerConnect() for the details.
>
> > If not, is it possible to perform this check in a client application,
> > perhaps through the means of CURLINFO_PRIMARY_IP?
>
> I don't see how. CURLINFO_PRIMARY_IP is the primary IP, which means the
> control channel connection for FTP...
>
> I can't think of any particular way an application can do this
> additional
> check with libcurl. We should probably work on either making it
> possible for
> the app, or provide an option to do the check within libcurl itself.
>
> You up to work on this?

Sure =)! But I'm new to submitting code to open source
projects. Should I make a solution proposal and send it to you
as a patch or do we first decide, jointly, on how to solve the problem?

For this particular problem I am thinking of adding a client callback in
AllowServerConnect, to allow a client app to retrieve the peer ip-address.
And if any error is returned the connection is prevented.
>
> > 2. Does CURLINFO_CERTINFO provide information about the certificate
> chain
> > for the 'last' successfully established SSL connection.
>
> Yes.
>
> > Or is the certificate information stored once and remains the same
> for all
> > following SSL transfers?
>
> No.
>
> > What I want to achieve is the possibility to retrieve the cert chain
> for
> > both command and data channels.
>
> The current implementation doesn't really allow this but it should be
> fairly
> easy to just allow it to keep two instances around...

A patch might be in place here as well? Adding a callback somewhere after
ssl_connect, to allow a client to verify the certs etc, for all ssl
connections.
however, I need to read up some more on Open SSL to fully understand what is
going
on.

/Mehmet.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2010-09-15

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]