curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: CURLOPT_SSL_CTX_FUNCTION for mbedTLS missing

From: Ales Mlakar <jazzbre_at_gmail.com>
Date: Tue, 21 Feb 2017 12:33:00 +0100

Thanks for the info, yes this indeed works.
I've added the CTX callback as the last thing in step1 and pushed
&connssl->config into it, I can then cast it in the callback and call
mbedtls_x509_crt_parse with &config->ca_chain on it.
I'll make a PR ASAP.

Thanks again Ray.

On Mon, Feb 20, 2017 at 8:15 PM, Ray Satiro via curl-library <
curl-library_at_cool.haxx.se> wrote:

> On 2/20/2017 3:05 AM, Ales Mlakar wrote:
> > Ok, the only problem I see here is that OpenSSL actually has a single
> > context where you can add everything to it etc, whereas mbedTLS would
> > probably need to push mbedtls_ssl_config* config, mbedtls_x509_crt
> > *cacert, mbedtls_x509_crt* clicert, mbedtls_x509_crl* crl,
> > mbedtls_pk_context* pk into the callback function, which is kind of
> > messy. I just push mbedtls_x509_crt *cacert right now because I only
> > need that.
> >
>
> Did you check out mbedtls_ssl_config? It has these
>
> mbedtls_x509_crt* mbedtls_ssl_config::ca_chain
> int(* mbedtls_ssl_config::f_vrfy)(void *, mbedtls_x509_crt *, int,
> uint32_t *)
>
> Are either of those useful to you? What if we had the CTX callback pass
> a mbedtls_ssl_config * at the end of step1, couldn't you use
> mbedtls_ssl_conf_ca_chain or something to override what curl does via
> CURLOPT_CAINFO?
>
>
>
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html
>

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-02-21