cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] CURLOPT_CACERTSTORE

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 11 May 2011 18:42:07 +0200 (CEST)

On Mon, 9 May 2011, girish_at_shankar-software.org wrote:

> This is the first time I am contributing to open source.

Hi and welcome and many thanks for your contribution and desire to improve
libcurl. Now we'll inspect your work closer and we'll discuss around the
specific feature and the way you've implemented it to see where it'll go!

> We wanted a way to make sure that our program loads data ONLY from our
> website. To ensure that we decided to use https. But the major weakness of
> the scheme is that the list of root certificates supplied with the software
> can be compromised either by the user or his employees or by a third party.

I wouldn't call that a "major weakness". I think you're bending the existing
feature to better suit your slightly unusual corner case.

I'm not convinced this is a feature we need in libcurl - and if we do, your
implementation of it is far too OpenSSL-specific. Also note that your patch
has several irrelevant changes that have nothing to do with the specific
feature you're working on. It is important that we keep changes separate and
that each patch fixes only the intended issue.

Can't you accomplish the same thing by using an existing callback already? For
example the CURLOPT_SSL_CTX_FUNCTION one ?

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2011-05-11