cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSL/TLS support using Windows SSPI Schannel API

From: Marc Hörsken <info_at_marc-hoersken.de>
Date: Tue, 10 Apr 2012 21:34:01 +0200

Hello everyone,

I just updated the schannel branch on github again.
The following things have been implemented since my last email:

- SSL/TLS session handling
- SSL/TLS re-negotiation

The remaining TODOs are now reduced to:

- implement write buffering
- implement SSL/TLS shutdown
- implement client certificates
- implement server certificates
- implement algorithm option

But especially the re-negotiation part requires more testing.

Best regards,
Marc

2012/4/9 Marc Hörsken <info_at_marc-hoersken.de>
>
> Hello everyone,
>
> this weekend I took the time to create a new SSL/TLS module für libcurl.
> It is now possible to use the Windows SSPI Schannel API for SSL and TLS
> connections.
>
> The new module makes use of the existing SSPI functionality in
> curl_sspi.[ch] and also re-uses the DLL/library context if it has been
> loaded.
> Basically Curl_schannel_init calls Curl_sspi_global_init
> and Curl_schannel_cleanup calls Curl_sspi_global_cleanup.
>
> More information about SSPI and the Schannel API:
>
> http://msdn.microsoft.com/en-us/library/windows/desktop/aa374731(v=vs.85).aspx#sspi_functions
>
> http://msdn.microsoft.com/en-us/library/windows/desktop/ms678421(v=vs.85).aspx
>
> http://msdn.microsoft.com/en-us/library/windows/desktop/aa375924(v=vs.85).aspx
>
> TLSv1, SSLv3 and SSLv2, including SNI is already supported. The following
> aspects/features are still on my TODO list:
>
> implement session handling and re-use
> implement write buffering
> implement verification options
> implement verification results
> implement SSL/TLS shutdown
> special cases: negotiation, certificates, algorithms
>
> The great news behind all this is, that it is now possible to do SSL/TLS
> with curl, but without openssl on Windows. This means that the Windows
> certificate store is used and there are no other dependencies which need to
> be installed. (Using user supplied certificates and client-auth is on my
> TODO list, but not implemented yet.)
>
> You can find the current implementation in my fork at github.com:
> https://github.com/mback2k/curl/tree/schannel
> https://github.com/mback2k/curl/compare/schannel
> I am not attaching patches yet, because I am still cleaning up some things
> and consider the project a work-in-progress.
>
> I also haven't modified the autotools buildscripts yet. I only added a new
> option to the winbuild scripts. You can now pass WITH_SSL=schannel to them,
> for example:
>>
>> nmake /f Makefile.vc mode=dll ENABLE_IDN=no WITH_SSL=schannel
>
>
> I would appreciate it if some of you could start testing this and give me
> feedback on functionality and code. Also I would appreciate any help
> modifying the autotools scripts to make cross-compilation using mingw
> possible.
>
> That's it for now, thanks in advance and please give it a try!
>
> Best regards,
> Marc

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-04-10