cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: retrieving negotiated ssl/tls version

From: bch <brad.harder_at_gmail.com>
Date: Wed, 4 Mar 2015 11:30:11 -0800

This is against curl 1.41.0 release.

Index: src/vendor/curl/docs/libcurl/symbols-in-versions
==================================================================
--- /home/bch/work/tcurl/src/vendor/curl/docs/libcurl/symbols-in-versions~0
    2015-03-04 11:24:44.000000000 -0800
+++ /home/bch/work/tcurl/src/vendor/curl/docs/libcurl/symbols-in-versions
      2015-03-02 10:36:09.000000000 -0800
@@ -227,6 +227,7 @@
 CURLINFO_LONG 7.4.1
 CURLINFO_MASK 7.4.1
 CURLINFO_NAMELOOKUP_TIME 7.4.1
+CURLINFO_NEGOTIATED_SSL 7.42.0
 CURLINFO_NONE 7.4.1
 CURLINFO_NUM_CONNECTS 7.12.3
 CURLINFO_OS_ERRNO 7.12.2
Index: src/vendor/curl/include/curl/curl.h
==================================================================
--- /home/bch/work/tcurl/src/vendor/curl/include/curl/curl.h~0
2015-03-04 11:24:44.000000000 -0800
+++ /home/bch/work/tcurl/src/vendor/curl/include/curl/curl.h
2015-03-02 17:34:03.000000000 -0800
@@ -2114,7 +2114,8 @@
   CURLINFO_TLS_SESSION = CURLINFO_SLIST + 43,
   /* Fill in new entries below here! */

- CURLINFO_LASTONE = 43
+ CURLINFO_NEGOTIATED_SSL = CURLINFO_LONG + 44,
+ CURLINFO_LASTONE = 44
 } CURLINFO;

 /* CURLINFO_RESPONSE_CODE is the new name for the option previously known as
DELETED src/vendor/curl/include/curl/curlbuild.h
Index: src/vendor/curl/lib/getinfo.c
==================================================================
--- /home/bch/work/tcurl/src/vendor/curl/lib/getinfo.c~0
2015-03-04 11:24:44.000000000 -0800
+++ /home/bch/work/tcurl/src/vendor/curl/lib/getinfo.c 2015-03-03
13:41:35.000000000 -0800
@@ -70,6 +70,7 @@
   info->conn_local_ip[0] = '\0';
   info->conn_primary_port = 0;
   info->conn_local_port = 0;
+ info->negotiated_ssl = -1L;

   return CURLE_OK;
 }
@@ -137,6 +138,9 @@
   case CURLINFO_HTTP_CONNECTCODE:
     *param_longp = data->info.httpproxycode;
     break;
+ case CURLINFO_NEGOTIATED_SSL:
+ *param_longp = data->info.negotiated_ssl;
+ break;
   case CURLINFO_FILETIME:
     *param_longp = data->info.filetime;
     break;
Index: src/vendor/curl/lib/urldata.h
==================================================================
--- /home/bch/work/tcurl/src/vendor/curl/lib/urldata.h~0
2015-03-04 11:24:44.000000000 -0800
+++ /home/bch/work/tcurl/src/vendor/curl/lib/urldata.h 2015-03-02
17:47:29.000000000 -0800
@@ -1139,6 +1139,7 @@
   struct curl_certinfo certs; /* info about the certs, only populated in
                                  OpenSSL builds. Asked for with
                                  CURLOPT_CERTINFO / CURLINFO_CERTINFO */
+ long negotiated_ssl; /* the version of ssl/tls that we negotiated */
 };

Index: src/vendor/curl/lib/vtls/darwinssl.c
==================================================================
--- /home/bch/work/tcurl/src/vendor/curl/lib/vtls/darwinssl.c~0
2015-03-04 11:24:44.000000000 -0800
+++ /home/bch/work/tcurl/src/vendor/curl/lib/vtls/darwinssl.c
2015-03-03 13:07:26.000000000 -0800
@@ -1919,6 +1919,7 @@
     (void)SSLGetNegotiatedProtocolVersion(connssl->ssl_ctx, &protocol);
     switch (protocol) {
       case kSSLProtocol2:
+ /* bch ref -- NEGOTIATED_SSL info here (?) */
         infof(data, "SSL 2.0 connection using %s\n",
               SSLCipherNameForNumber(cipher));
         break;
Index: src/vendor/curl/lib/vtls/openssl.c
==================================================================
--- /home/bch/work/tcurl/src/vendor/curl/lib/vtls/openssl.c~0
2015-03-04 11:24:44.000000000 -0800
+++ /home/bch/work/tcurl/src/vendor/curl/lib/vtls/openssl.c
2015-03-03 13:40:41.000000000 -0800
@@ -1660,6 +1660,35 @@

 #endif /* USE_NGHTTP2 */

+void
+set_ssl_version_long(SSL *ssl, struct connectdata *conn)
+{
+ long code=-1L; /* this happens to be CURL_SSLVERSION_DEFAULT -- nb:
we need stricter use of these enums (ref: CURL_SSLVERSION_DEFAULT = 1)
*/
+ if(ssl) {
+ switch(SSL_version(ssl)) {
+#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
+ case TLS1_2_VERSION:
+ code = CURL_SSLVERSION_TLSv1_2;
+ break;
+ case TLS1_1_VERSION:
+ code = CURL_SSLVERSION_TLSv1_1;
+ break;
+#endif
+ case TLS1_VERSION:
+ code = CURL_SSLVERSION_TLSv1;
+ break;
+ case SSL3_VERSION:
+ code = CURL_SSLVERSION_SSLv3;
+ break;
+ case SSL2_VERSION:
+ code = CURL_SSLVERSION_SSLv2;
+ break;
+ }
+ }
+ conn->data->info.negotiated_ssl = code; /* nb: the ssl instance of
struct connectdata did not have ->data -- discuss */
+ /* move this whole works to get_ssl_version_txt() (which appears to
get called w/ or wo VERBOSE) ? */
+}
+
 static const char *
 get_ssl_version_txt(SSL *ssl)
 {
@@ -2203,6 +2232,7 @@
     /* we have been connected fine, we're not waiting for anything else. */
     connssl->connecting_state = ssl_connect_3;

+ set_ssl_version_long(connssl->handle, conn);
     /* Informational message */
     infof(data, "SSL connection using %s / %s\n",
           get_ssl_version_txt(connssl->handle),

On 3/4/15, Daniel Stenberg <daniel_at_haxx.se> wrote:
> On Tue, 3 Mar 2015, bch wrote:
>
>> so, I've got a proof-of-concept (OpenSSL only, atm) ready for review.
>> What's
>> the best way to proceed from here -- is prefered to mail a patch, or issue
>> a
>> pull request on github, or ???
>
> Your choice really. I like a plain patch in a mail to this list.
>
> --
>
> / daniel.haxx.se
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-03-04