cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: SV: 2. Cert chain for data channel

From: Mehmet Bozkurt <mehmet.bozkurt_at_xware.se>
Date: Mon, 20 Sep 2010 16:11:45 +0200

> >> You up to work on this?
> >
> > Sure =)!
>
> Great!
>
> > But I'm new to submitting code to open source projects. Should I make
> a
> > solution proposal and send it to you as a patch or do we first
> decide,
> > jointly, on how to solve the problem?
>
> Whatever works best for you. If you want to try the concept on us
> first, then
> do that, but if you prefer to write up the code and try out an
> implementation
> in your end first and then show us that, it certainly works as well.
>
> >> The current implementation doesn't really allow this but it should
> be
> >> fairly easy to just allow it to keep two instances around...
> >
> > A patch might be in place here as well? Adding a callback somewhere
> after
> > ssl_connect, to allow a client to verify the certs etc, for all ssl
> > connections. however, I need to read up some more on Open SSL to
> fully
> > understand what is going on.
>
> One tricky part with SSL stuff in the libcurl code is that we want to
> allow as
> much functionality as possible that isn't bound to any particular SSL
> library,
> as we have many users using GnuTLS or NSS (and more!) as alternatives
> to
> OpenSSL. (Although CERTINFO is the black sheep in this company as it
> only
> works with OpenSSL...)

I have added a new callback type (this is for LibCurl built with OpenSSL
only) after SSL_connect in
ossl_connect_step2, ssluse.c. Here, the application gets a chance to
inspect/modify etc.
the OpenSSL SSL object used in the connection. We have our own cert
verification
functionality which I call from here. If the validation fails I return
CURLE_PEER_FAILED_VERIFICATION.
Other uses might require new error codes.
See the details of the patch in the attached files. sslcallback.patch
contains patches for several files.
I hope submitting patches this way is permitted, else let me know and I'll
split them up in individual files.

If you think that this patch, and previous ones I have submitted, are OK to
add to main I would be really
glad. All feedback is welcome.

Best regards,
Mehmet.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

application/octet-stream attachment: sslcallback.patch

application/octet-stream attachment: curl.h.patch

Received on 2010-09-20

This message: [ Message body ]
Next message: Johnny Beardsmore: "curl_easy_perform occasionally responds even though the PC is disconnected from the network"
Previous message: Mehmet Bozkurt: "RE: SV: SV: 1. FTP cmd channel and data channel validation"
In reply to: Daniel Stenberg: "Re: SV: 1. FTP cmd channel and data channel validation, 2. Cert chain for data channel"
Next in thread: Daniel Stenberg: "RE: SV: 2. Cert chain for data channel"
Reply: Daniel Stenberg: "RE: SV: 2. Cert chain for data channel"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]