cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: TLS security in Curl

From: amit paliwal <amit.ambitions_at_gmail.com>
Date: Wed, 5 Jan 2011 10:27:23 -0500

On Tue, Jan 4, 2011 at 6:50 PM, Hu, Eric <EHu_at_directv.com> wrote:

> > If I make my custom protocol by using curl_easy_send() and
> > curl_easy_recv(), will curl still be handling TLS authentication on my
> > behalf before sending the data on network?
> >
> If by "protocol," you mean a new prefix (ie, the "http" in "
> http://cool.haxx.se"), then the short answer is no. TLS happens a few
> layers down, so it would be up to your protocol to talk to the TLS engine
> (eg OpenSSL or GnuTLS). Lucky for you, looking at how https is implemented
> (see http.c/h and sslgen.c/h) should be instructive. You may even be able
> to call existing functions.
>

The thing is, before using curl_easy_perform() to send HTTP GET and getting
HTTP response, I need to block on some message from Server. One this
messages comes, I can use curl_easy_perform() to complete one round of GET
and Response. But I think there is no provision to get block before sending
HTTP GET by curl_easy_perform(), so I need to customise it. There are two
options if I customise it:

1) use typical OS calls, for e.g. select() followed by recv() to first ait
and then use curl_easy_perform(). But the problem in this approach is, when
i say recv(), it will not be TLS authenticated and I will have to do it by
my own.

2) use CONNECT_ONLY and use curl_easy_send() and curl_easy_recv() to
implement it in the way I need. But I though Curl can still handle TLS
authentication while sending and receiving from network, even if i use
curl_easy_send() and curl_easy_recv().

Isn't it like HTTP and TLS are handled in two different layers, and TLS
authentication should happen just before sending it on socket(TCP), in that
case even if I use curl_easy_send() in my way, it should handle the TLS
authentication?

> > Also if I use above mentioned API's, and implement some custom
> > protocol, will Curl take care of all HTTP protocol related issues, for
> > e.g. HTTP redirect and handling of error codes???
> >
> I think the short answer here is also no, for similar reasons as above.
> Also as above, you can probably make use of lots of existing code, either
> as examples or functions that you call.
>
> If this is for your SSE project, you may want to consider not creating a
> new protocol, though that's a design decision for you to make.
>
> Eric
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2011-01-05