Re: schannel modifications for WinCE 6
Date: Thu, 11 Sep 2014 08:57:00 -0400
On Thu, Sep 11, 2014 at 5:14 AM, Daniel Stenberg <daniel_at_haxx.se> wrote:
> Yes thanks, that'd be great! I'm sure there is or will be other interested
Okay, attached a patch. I've never submitted one before, so let me know if
there are any issues. :) I also had to make some changes to
config-win32ce.h, but I'm assuming that's expected when building libcurl.
> RC4 is insecure. To the point where we've stopped using it in general, and
> it is being avoided universally where security and encryption are involved.
> See http://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-02
> The main problem with completely disabling RC4 all over tends to involve
> old Windows installations, see https://www.ietf.org/mail-
> So, you need to consider the alternatives. RC4 is known to be insecure,
> but possibly less bad than what other algorithms you can choose from!
From what I can tell, the WinCE 6 implementation of EncryptMessage() seems
to be generally broken when it concerns block ciphers, and RC4 is the only
cipher that I got to work...but I could be totally wrong here.
Unfortunately, I haven't found any other source to support my claim, so I
was hoping someone here had experience with schannel and WinCE 6. :)
Here's a list of the available ciphers for WinCE 6:
> - Fix an apparent bug in hostname verification for wildcard certs. For
>> *. example.com from the cert, it was comparing ".example.com" instead of
>> " example.com" against the server's hostname
> Oh, that's not just for the embedded version then is it? It sounds
> significant enough that it is strange that it hasn't already been
The bug I found was in verify_certificate(), which is only used in the
WinCE implementation of schannel:
/* Windows CE doesn't do any server certificate validation.
We have to do it manually. */
return verify_certificate(conn, sockindex);
- A few small mods to allow to libcurl to build for WinCE 6 (eg, use
>> send()/recv() instead of write()/read()).
> What? AFAIK, only minix uses write() and everything else uses send()
> already (and all internals do it with swrite() which is a macro that
> "hides" the real function being used). Am I wrong?
This one confused me as well. curlx_read() and curlx_write() were only
defined for Win32 and were implemented using read() and write().
-- Ben Sutcliffe
- application/octet-stream attachment: wince6-build-and-schannel-fixes.patch