cURL / Mailing Lists / curl-library / Single Mail


[PATCH] cyassl: remove undefined reference to CyaSSL_no_filesystem_verify & add support for CURLOPT_SSL_CTX_FUNCTION

From: Kyle L. Huff <>
Date: Sun, 22 Feb 2015 15:05:12 -0500

The attached patches remove the reference to
"CyaSSL_no_filesystem_verify", and enables CURLOPT_SSL_CTX_FUNCTION
when using CyaSSL.

1.) Remove the reference to "CyaSSL_no_filesystem_verify"

This method is not (or no longer) defined by cURL or CyaSSL. Looking
through the commit history of both cURL and CyaSSL, I was not able to
find any reference or definition to that method in any past versions.

The defined methods[1] for loading/verifying certificates in a buffer
are CyaSSL_CTX_load_verify_buffer, CyaSSL_CTX_use_certificate_buffer,
and so on. These methods are similar to those in OpenSSL that deal
with loading/verifying certificate files, but obviously for buffers

I don't think it would be very prudent to implement loading
certificates via buffers here, as should normally be handled by the
application via a context callback (thus, the next patch).

2.) Add support for CURLOPT_SSL_CTX_FUNCTION when using CyaSSL and
better handle CyaSSL instances using NO_FILESYSTEM.

This patch adds a check for a context callback and registers the
callback in the same manner as openssl (`lib/vtls/openssl.c`). This
enables applications using CyaSSL to perform context operations with
the context instance.

If a callback is not defined, and CyaSSL is in NO_FILESYSTEM mode, it
will return an error only if CURLOPT_SSL_VERIFYPEER is true/1L (we
cannot verify a peer without any certificates loaded).

If a callback is defined, the application can load certificates into
the ssl context from buffers by using the CyaSSL context operations
(CyaSSL_CTX_load_verify_buffer, CyaSSL_CTX_use_certificate_buffer,
etc.) within their application.

I look forward to hearing about any suggestions or improvements.

References -

Kyle L. Huff

List admin:

Received on 2015-02-22