cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSL/TLS support using Windows SSPI Schannel API

From: Marc Hoersken <info_at_marc-hoersken.de>
Date: Sat, 14 Apr 2012 08:54:06 +0200

Hello everyone,

besides the following TODOs which haven't been implemented yet, the
SSL/TLS implementation is ready for use and works:
- implement write buffering
- implement SSL/TLS shutdown
- implement client certificate authentication
- implement custom server certificate validation
- implement cipher/algorithm option

Write buffering may be required for slow connections, but all other
points are more or less things which can grow in the future.
Windows WinCrypt API provides some functionality for Certificate
Management and Cipher Algorithms, but in order to make it conform to
the OpenSSL implementation, especially in order to make it use the
same cipher names and CA bundle formats, some work is required.
Therefore I consider those things something which I or others can add
later on, because until these options are implemented in libcurl,
Windows will choose the best available cipher from the registry and
use certificates from the Windows Certification Store.

Related articles on MSDN:
- Getting a Certificate for Schannel
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx
- Specifying Schannel Ciphers and Cipher Strengths
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa380161.aspx

Guenter modified the static mingw32 makefiles for me and I applied his
changes to my fork on github and also include them in my patches.
Thank you very much, Guenter!

He also tested the current state and said it works for him. I
personally did test the version compiled using the winbuild/ scripts
inside VC and also the version compiled with static the mingw32
makefiles. Everything seems to work fine so far, but I think
low-memory and slow-connection environments require some edge-case
testing.

I would really like to see those changes make it into libcurl. Maybe
more testing is required and therefore I also ask you people to test
it. Once you also consider it stable, it can be merged into libcurl,
even though there are some long-term TODOs open.

Guenter recommended attaching a patch itself and this is what I do
now, so that you can test the current version. But once it is going to
be merged into libcurl, I would really like to see my development
branch on github, including its commit history, being merged into the
main git repository. I read that this is not you normal workflow for
patches, but please consider the useful information in the commit
history of such a big patch.

Please take a look and provide feedback if desired. Have fun with the
changes and thanks in advance!

Best regards,
Marc

PS: Thanks for the feedback, Guenter and Steve!

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2012-04-14