cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Can't get internals pointer on iOS

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Tue, 26 Apr 2016 16:33:30 -0400

On 4/26/2016 8:50 AM, Bru Rom wrote:
> Hello!
>
> Using iOS 9.3.1 on iPhone 5 and 6, Mac OS X 10.11.4, XCode 7.3,
> libcurl 7.47.1
>
> libcurl is build with this thing:
> https://github.com/sinofool/build-libcurl-ios
>
> build without OpenSSL, with native DarwinSSL
>
> libz is linked to project additionaly to libcurl (as required)
>
> Now i have a very simple test project (but on complex business rest
> task), i am using curl_easy*** API with many self-signed certs.
>
> At a glance everything is working fine! I can GET, i can POST, json is
> flying back-and-forth without any troubles, but i run into underlying
> ssl cache troubles, when new connection use previous user ssl cert.
>
> I try to use curl_easy_getinfo(curl, CURLINFO_TLS_SESSION, &info);
> to load info in
> struct curl_tlssessioninfo *info;
> and get pointer to underlying ssl context and shut it.
>
> CURLINFO_TLS_SSL_PTR is not available, but docs say they are the same
> for me
>
> But no matter how i do it i can only get
> curl_sslbackend backend = CURLSSLBACKEND_DARWINSSL;
> and void *internals = NULL;
> always NULL
>
> Some more information on iOS TLS caching:
> https://developer.apple.com/library/ios/qa/qa1727/_index.html
>
> I cannot use anything but libcurl. Every native APIs is:
> a) much much harder on my task
> b) with some nasty limitations
>
> I google, i try examples, i read api and headers, i wildly debug for week.
> I tried all relevant (and irrelevant) options such as
> curl_easy_setopt(curl_handle, CURLOPT_MAXCONNECTS, 1);
> curl_easy_setopt(curl_handle, CURLOPT_DNS_CACHE_TIMEOUT, 0);
> curl_easy_setopt(curl_handle, CURLOPT_SSL_SESSIONID_CACHE, 0);
> curl_easy_setopt(curl_handle, CURLOPT_COOKIELIST, "ALL");
> curl_easy_setopt(curl_handle, CURLOPT_RTSP_SESSION_ID, NULL);
> curl_easy_setopt(curl_handle, CURLOPT_FRESH_CONNECT, 1);
> curl_easy_setopt(curl_handle, CURLOPT_FORBID_REUSE, 1);
>
> No result.
>
> Help. How should i get pointer to SSLContext?
>

Best practice is if a curl option requires a long you should pass
exactly that, eg 0L or (long)0. That has to do with the way
curl_easy_setopt retrieves arguments (va_arg style; think printf). Some
like Linux gcc may have protections built in for that I believe (if x64
they extend 32-bit ints to 64-bit) but I don't know how widespread that
behavior is. Before you do anything else I'd correct all CURLOPTs so
you're passing the right types and test again.

So is the problem that Apple maintains a per process TLS session cache
and it is resuming the session? I read your ref and that's what it seems
to imply. I don't know if you can disable that in libcurl. As you've
already discovered there's a curl option --no-sessionid
(CURLOPT_SSL_SESSIONID_CACHE) which can be used to disable libcurl's
session cache for some SSL backends, however maybe Apple has a separate
layer? Also looking at the way we disable it maybe it's done wrong?

In libcurl's darwinssl.c [1] it shows that if no session ID is found it
creates one by calling SSLSetPeerID
. Maybe we should not be doing that (or be doing it differently) if
conn->ssl_config.sessionid is false? I don't use SecureTransport and I
don't have a development environment for it, hopefully someone else can
step in here.

[1]:
https://github.com/curl/curl/blob/curl-7_48_0/lib/vtls/darwinssl.c#L1470-L1503

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-04-26