curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: CURLOPT_SSL_CTX_FUNCTION for mbedTLS missing

From: Ales Mlakar <jazzbre_at_gmail.com>
Date: Mon, 20 Feb 2017 09:05:20 +0100

Ok, the only problem I see here is that OpenSSL actually has a single
context where you can add everything to it etc, whereas mbedTLS would
probably need to push mbedtls_ssl_config* config, mbedtls_x509_crt
*cacert, mbedtls_x509_crt* clicert, mbedtls_x509_crl* crl,
mbedtls_pk_context* pk into the callback function, which is kind of messy.
I just push mbedtls_x509_crt *cacert right now because I only need that.

Like:
static CURLcode AddCertificatesFunction(CURL* curl, void* sslctx, void*
parm) {

     const char* testpem = "-----BEGIN CERTIFICATE-----\n"

...

                      "-----END CERTIFICATE-----\n";

    mbedtls_x509_crt* cacert = static_cast<mbedtls_x509_crt*>(sslctx);

    int ret = mbedtls_x509_crt_parse(cacert, (const unsigned char*)
testpem, (size_t)(strlen(testpem) + 1));

    return CURLE_OK;

}

Used from:

res = curl_easy_setopt(curl_, CURLOPT_SSL_CTX_FUNCTION,
*SSL_AddCertificatesFunction);
Regards,
Ales

On Sat, Feb 18, 2017 at 11:56 PM, Ray Satiro via curl-library <
curl-library_at_cool.haxx.se> wrote:

> On 2/18/2017 2:34 PM, Ales Mlakar wrote:
> > I was using CURLOPT_SSL_CTX_FUNCTION to load the ca certs from memory
> > with OpenSSL and I want to use the same on mbedTLS.
> > Is there any reason this is not implemented?
> > I've added it and it works, I can make a pull request or whatever you
> > guys do If you want, just say the word.
>
> Just lack of interest I suspect. That option was intended to modify the
> configuration options though not the actual SSL object, and I'm not sure
> what effect it would have just modifying an mbedtls config. I think the
> mbedTLS CTX is actually the equivalent of what the SSL object is in
> OpenSSL, and probably mbedtls_ssl_config is the equivalent of OpenSSL's
> CTX? In CURLINFO_TLS_SSL_PTR [1] we are returning a pointer to
> mbedtls_ssl_context so that's why I think their context is SSL obj.
> Anyway.. sure, make a PR and someone will take a look.
>
>
> [1]: https://curl.haxx.se/libcurl/c/CURLINFO_TLS_SSL_PTR.html
>
>
>
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-02-20