On Wed, Apr 23, 2014 at 8:30 AM, Daniel Stenberg <daniel_at_haxx.se> wrote:
> On Tue, 22 Apr 2014, Nick Zitzmann wrote:
>
>> I've skimmed over it, and I'm reluctant to include it in the next point
>> release, mainly because this is a huge change to secure code used by
>> millions of people[1], and we've already learned in the past two months how
>> a single line in supposedly secure code can cause a huge security hole (see
>> "goto fail" and Heartbleed).

No offense, but what will change if we just sit and wait? This is a
feature that is missing from cURL currently. There are also millions
of people using self-signed certificates. For them the only option
right now if they want to use cURL with Secure Transport is to
*disable* certificate verification. I'm not sure that's a good
tradeoff.

>> We ought to consider this for a future release, though. Thanks for the
>> patch.
>
>
> Any suggestions on how we'd proceed to merge it? It is right now 231 new
> lines of code.
>
> We should consider what test cases we have that would run this code, or
> rather what tests we can and should add to increase our chances of detecting
> problems.

Test cases 310, 311, 312 and 313 already test --cacert. 313 still
fails since that requires --crlfile to work too (not implemented with
DarwinSSL - I plan to look into it later). These tests use an
stunnel-wrapped http server, so it means we test cURL+Secure Transport
against stunnel+OpenSSL using a PEM CA certificate - seems like a good
integration test. I can add a few more test cases that do the same
using the DER CA certificate (the patch makes sure both PEM and DER
certificates are handled).

> Also, once we merge it people (on Mac at least) can use clang-analyzer etc
> to staticly analyze the code for possible flaws.

Thanks, good idea. This is something I have not done, but I can check
what scan-build says after applying the patch.

>
>
>> it's a core component of OS X starting in Mavericks
>
>
> I recognize that and I think it is awesome. But we also can't make that fact
> scare us away from doing/adding good stuff. Plus the fact that Apple is in
> fact deciding for themselves what to do with their OS and they're more than
> welcome to come forward and help us test and improve things!

Is the system cURL compiled with Secure Transport support on
Mavericks? I only have a 10.8 box, on it it's still compiled with
OpenSSL.

>
> --
>
> / daniel.haxx.se
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-04-23