cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [curl] Copy the darwinssl SSLContext peer trust into the PureInfo struct (#68)

From: Nick Zitzmann <nick_at_chronosnet.com>
Date: Thu, 30 May 2013 16:42:42 -0600

On May 30, 2013, at 3:50 PM, Daniel Stenberg <daniel_at_haxx.se> wrote:

> There isn't. It is only documented as OpenSSL-only because it is, it is not a requirement nor does it have to remain like that.
>
> I don't really like when we do things in the API that is SSL-backend specific, but I'm also aware that some things still need to be done like that so that we can provide good features.

Okay, so what do the rest of you think about opening up CURLOPT_SSL_CTX so that it works with all back-ends?

Let me describe the problem. On OS X, when a connection to a remote server fails because it is not trusted, it is customary for a GUI app to put up a window (an SFCertificateTrustPanel object, specifically) explaining why the server is not trusted and asking the user whether to connect anyway or stop. But the application needs to be able to access the failed trust data structure in order to run this sheet; it isn't invoked automatically by the OS. And the cleanest way I figured out how to do this was to share the SSLContextRef data structure with the application using CURLOPT_SSL_CTX. And then we don't need to add any new options to libcurl to get that trust, since I'm fairly certain this issue is specific to Apple's operating systems only (I understand other OSes have a similar panel, but they invoke it in a different way). So I think it would be a good thing to open this up…

Nick Zitzmann
<http://www.chronosnet.com/>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-05-31