curl-library
Questions and proposals about SSL and pinned public key
Date: Fri, 10 Oct 2014 20:08:39 +0200
I just looked at the last updates to the vtls/* code and this makes me
wonder about the following things:
1) QsoSSL is obsolete. I propose to remove it completely from the code.
Runs only on AS/400 where GSKit is always available and much better in
many senses. In addition, it's hard to make it evolve. Any objection ?
2) In Curl_ssl_random(), I propose to return -1 if curlssl_random is not
defined.
3) I can understand the backend-specific md5sum function (i.e.: for
speed purpose), but we already have our own implementation and it would
be wise to use it, at least when have_curlssl_md5sum is not defined. In
addition, ifdefs on have_curlssl_md5sum can be replaced by ifdefs on
curlssl_md5sum. Your opinion ?
4) I would like to split the backend-specific pkp_pin_peer_pubkey() (of
openssl and gtls) into a backend-specific part that gets the key from
the certificate and a generic part cooking the pinned public key and
comparing: this would avoid repeating the PPK cooking in each backend.
Any objection ?
5) The misunderstanding I make 2 days ago about PPK inspired me the
following possible improvement. If the PPK file does not exist, the
curl_easy_setopt() string is checked for being a PEM public key (direct
data). In addition, the file data is checked for PEM format. Else it
behaves has today (DER).
Of course, all these changes can be delayed after the feature freeze...
Good week-end to everyone.
Patrick
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-10