On 2/20/2017 3:05 AM, Ales Mlakar wrote:
> Ok, the only problem I see here is that OpenSSL actually has a single
> context where you can add everything to it etc, whereas mbedTLS would
> probably need to push mbedtls_ssl_config* config, mbedtls_x509_crt
> *cacert, mbedtls_x509_crt* clicert, mbedtls_x509_crl* crl,
> mbedtls_pk_context* pk into the callback function, which is kind of
> messy. I just push mbedtls_x509_crt *cacert right now because I only
> need that.
>

Did you check out mbedtls_ssl_config? It has these

mbedtls_x509_crt* mbedtls_ssl_config::ca_chain
int(* mbedtls_ssl_config::f_vrfy)(void *, mbedtls_x509_crt *, int,
uint32_t *)

Are either of those useful to you? What if we had the CTX callback pass
a mbedtls_ssl_config * at the end of step1, couldn't you use
mbedtls_ssl_conf_ca_chain or something to override what curl does via
CURLOPT_CAINFO?

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-02-20