Re: CURLOPT_SSL_CTX_FUNCTION for SSPI
Date: Fri, 18 Mar 2016 01:33:50 -0400
On 3/14/2016 8:23 PM, Henri Hein wrote:
> On Sat, Mar 12, 2016 at 3:57 PM, Ray Satiro via curl-library
> <curl-library_at_cool.haxx.se> wrote:
>> Instead I would probably pass SCHANNEL_CRED, if
>> there was any interest for that.
> By this, do you mean call the SSL_CTX_FUNCTION callback in step 1, as the other
> implementations, and pass the SCHANNEL_CRED as the ssl_ctx?
Yes. If there is any interest that is likely the way to do it.
>> There is a new symbol
>> CURLINFO_TLS_SSL_PTR  we've added for curl 7.48 (to be released later
>> this month) that can be used to retrieve the active SSL connection and
>> supports schannel. You can use it to get the CtxtHandle (the security
>> context -- the closest thing schannel has to an SSL object) and use that to
>> get the certificates.
> That would indeed serve our purpose. If I understand it correctly, I can use
> this to validate the server certificate and close the connection, either after
> easy_perform returns, or maybe during callbacks. I would prefer an option
> to validate early, after the TLS handshake and before data is being
> transferred. I honestly don't know what my options are here.
You can do it in the progress callback. It's really quite complicated to
do it properly because you have to verify certificate changes. I will
make an example for you. I opened #685  to find a better way, and it
looks like you've already seen that.
> More info: I used the SSL_CTX_FUNCTION callback to implement
> the equivalent functionality to PINNEDPUBLICKEY. I chose to use the
> SSL_CTX_FUNCTION callback, because the footprint on libcurl was
> much smaller that way. I am willing to make a pull request for
> the CURLOPT_PINNEDPUBLICKEY implementation in SSPI, if
> that is more agreeable.
That would be fantastic.
List admin: https://cool.haxx.se/list/listinfo/curl-library
Received on 2016-03-18