cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: schannel modifications for WinCE 6

From: Ben Sutcliffe <bsutcliffe_at_gmail.com>
Date: Thu, 11 Sep 2014 08:57:00 -0400

On Thu, Sep 11, 2014 at 5:14 AM, Daniel Stenberg <daniel_at_haxx.se> wrote:
>
>
> Yes thanks, that'd be great! I'm sure there is or will be other interested
> people.

Okay, attached a patch. I've never submitted one before, so let me know if
there are any issues. :) I also had to make some changes to
config-win32ce.h, but I'm assuming that's expected when building libcurl.

> RC4 is insecure. To the point where we've stopped using it in general, and
> it is being avoided universally where security and encryption are involved.
> See http://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-02
>
> The main problem with completely disabling RC4 all over tends to involve
> old Windows installations, see https://www.ietf.org/mail-
> archive/web/tls/current/msg11935.html
>
> So, you need to consider the alternatives. RC4 is known to be insecure,
> but possibly less bad than what other algorithms you can choose from!
>

From what I can tell, the WinCE 6 implementation of EncryptMessage() seems
to be generally broken when it concerns block ciphers, and RC4 is the only
cipher that I got to work...but I could be totally wrong here.
Unfortunately, I haven't found any other source to support my claim, so I
was hoping someone here had experience with schannel and WinCE 6. :)

Here's a list of the available ciphers for WinCE 6:
http://msdn.microsoft.com/en-us/library/ee498855(v=winembedded.60).aspx

> - Fix an apparent bug in hostname verification for wildcard certs. For
>> *. example.com from the cert, it was comparing ".example.com" instead of
>> " example.com" against the server's hostname
>>
>
> Oh, that's not just for the embedded version then is it? It sounds
> significant enough that it is strange that it hasn't already been
> reported...

The bug I found was in verify_certificate(), which is only used in the
WinCE implementation of schannel:

#ifdef _WIN32_WCE
  /* Windows CE doesn't do any server certificate validation.
     We have to do it manually. */
  if(data->set.ssl.verifypeer)
    return verify_certificate(conn, sockindex);
#endif

 - A few small mods to allow to libcurl to build for WinCE 6 (eg, use
>> send()/recv() instead of write()/read()).
>>
>
> What? AFAIK, only minix uses write() and everything else uses send()
> already (and all internals do it with swrite() which is a macro that
> "hides" the real function being used). Am I wrong?

This one confused me as well. curlx_read() and curlx_write() were only
defined for Win32 and were implemented using read() and write().

-- 
Ben Sutcliffe


-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2014-09-11