cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: CURLOPT_SSL_CTX_FUNCTION for SSPI

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Sat, 12 Mar 2016 18:57:27 -0500

On 3/12/2016 6:34 PM, Steve Holme wrote:
> On Thu, 10 Mar 2016, Henri Hein wrote:
>
> > I forked the curl sources and implemented CURLOPT_SSL_CTX_FUNCTION for
> > the SSPI/Schannel build. Would there be any interest in a pull
> > request for this? It's just a few lines of code that I took from the
> > cyassl source. For my purposes, I needed access to the server
> > certificate in my callback, so I found I had to make the call to the
> > callback in the connect_step2(), rather than connect_step1(), where it
> > is in cyassl. Other than that it's exactly the same.
>
> I don't see why not - it is my opinion that we should try and cover
> this functionality for all SSL backends if possible and appropriate to
> do so.
>

I disagree here. The CTX function is meant to give an application a way
to modify the context (ie the options) used to make the SSL object which
represents the connection. It is documented as "called by libcurl just
before the initialization of an SSL connection". In schannel (WinSSL)
context is not the same thing, what is referred to as the context (or
security context) is the product of those options, is coupled with a
connection and is similar to an SSL object. schannel's SCHANNEL_CRED is
probably the closest thing to OpenSSL's SSL_CTX because that's where you
set the flags and ciphers etc, however there is no way to set a user
callback in SCHANNEL_CRED.

So I would not implement the CTX callback that way for schannel since
it's not in line with the API. Instead I would probably pass
SCHANNEL_CRED, if there was any interest for that.

If you need a way to run extra verification on the server certificate
SCHANNEL_CRED can't help with that as far as I know. There is a new
symbol CURLINFO_TLS_SSL_PTR [1] we've added for curl 7.48 (to be
released later this month) that can be used to retrieve the active SSL
connection and supports schannel. You can use it to get the CtxtHandle
(the security context -- the closest thing schannel has to an SSL
object) and use that to get the certificates.

CURLINFO_TLS_SSL_PTR and its predecessor CURLINFO_TLS_SESSION have a
limitation though in that if FTPS more than one connection may be in-use
and it can't retrieve those additional SSL objects. I have an issue in
to explore having a callback after each SSL connection is made [2], or
maybe events like a CURLOPT_CONN_FUNCTION or something. and then pass
the callback flags maybe like BEFORE_SSL_CONN, AFTER_SSL_CONN,
BEFORE_SSL_VERIFY, AFTER_SSL_VERIFY, .

[1]: https://curl.haxx.se/libcurl/c/CURLINFO_TLS_SSL_PTR.html
[2]: https://github.com/curl/curl/issues/685

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-03-13