On Wed, 10 Sep 2014, Ben Sutcliffe wrote:

> I can submit a patch if you guys are interested

Yes thanks, that'd be great! I'm sure there is or will be other interested
people.

> curl_schannel.c: - Explicitly set cipher algorithm to RC4. Whatever the
> default cipher was, it wasn't working unless I was careful to pad my
> messages to presumably the correct block size (?). I'm guessing RC4 works
> since it's a stream cipher instead of a block cipher...but I don't know much
> about crypto. Not sure how secure RC4 is anyway...so maybe there's a better
> alternative.

RC4 is insecure. To the point where we've stopped using it in general, and it
is being avoided universally where security and encryption are involved. See
http://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-02

The main problem with completely disabling RC4 all over tends to involve old
Windows installations, see
https://www.ietf.org/mail-archive/web/tls/current/msg11935.html

So, you need to consider the alternatives. RC4 is known to be insecure, but
possibly less bad than what other algorithms you can choose from!

> - Fix an apparent bug in hostname verification for wildcard certs. For *.
> example.com from the cert, it was comparing ".example.com" instead of "
> example.com" against the server's hostname

Oh, that's not just for the embedded version then is it? It sounds significant
enough that it is strange that it hasn't already been reported...

> - A few small mods to allow to libcurl to build for WinCE 6 (eg, use
> send()/recv() instead of write()/read()).

What? AFAIK, only minix uses write() and everything else uses send() already
(and all internals do it with swrite() which is a macro that "hides" the real
function being used). Am I wrong?

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html