curl-library
Re: SSL/TLS support using Windows SSPI Schannel API
Date: Sat, 14 Apr 2012 13:22:06 +0200
2012/4/14 Gisle Vanem <gvanem_at_broadpark.no>:
> "Marc Hoersken" <info_at_marc-hoersken.de> wrote:
>
>> Therefore I consider those things something which I or others can add
>> later on, because until these options are implemented in libcurl,
>> Windows will choose the best available cipher from the registry and
>> use certificates from the Windows Certification Store.
>
>
> Speaking of certificates, libcurl+OpenSSL it's quite handy to know the
> server's certs. E.g.:
>
> curl.exe -v --trace-ascii - https://www.google.com
> ...
>
> 0000: .....P..^N..?.;.
> == Info: SSL connection using ECDHE-RSA-RC4-SHA
> == Info: Server certificate:
> == Info: subject: C=US; ST=California; L=Mountain View; O=Google
> Inc; CN=www.google.com
> == Info: start date: 2011-10-26 00:00:00 GMT
> == Info: expire date: 2013-09-30 23:59:59 GMT
> == Info: common name: www.google.com (matched)
> == Info: issuer: C=ZA; O=Thawte Consulting (Pty) Ltd.; CN=Thawte SGC
> CA
> == Info: SSL certificate verify ok.
>
> Using libcurl+Schannel I get no such trace. Would it be possible? There are
> maybe some Schannel callbacks that could do this?
>
SSPI or Schannel does not use the concept of callbacks, but there
might be a structure which can be queried for.
I think I will be able to at least get the CA name using
QueryContextAttributes and SECPKG_ATTR_AUTHORITY:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379340.aspx
The pBuffer parameter contains a pointer to a
SecPkgContext_Authority structure.
Queries the name of the authenticating authority.
And I might also be able to get the cipher information, but not sure
about that yet.
Might be part of the SCHANNEL_CRED structure once the connection has
been established:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa374716.aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379810.aspx
We'll have to see. But it is important to understand that
SSPI/Schannel hides most of the complexity and therefore also some
functionality of SSL/TLS encryption behind the API. This is the whole
purpose of the general SSPI API and provider approach. It might be
hard to get some information out of it.
Tracing the raw data transfer is not a problem, because the socket
reading/writing is done by libcurl and not Schannel.
>
>> I would really like to see those changes make it into libcurl. Maybe
>> more testing is required and therefore I also ask you people to test
>> it. Once you also consider it stable, it can be merged into libcurl,
>> even though there are some long-term TODOs open.
>
>
> Agreed, merge into the official repo. I find it good.
>
Great!
Best regards,
Marc
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-04-14