curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Enabled multiple SSL backends

From: Kamil Dudka via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 30 Aug 2017 10:06:02 +0200

On Monday, August 28, 2017 11:22:51 PM CEST Daniel Stenberg wrote:
> Hi friends!
>
> As of minutes ago, libcurl has the ability to change SSL backend dynamically
> at run-time - if built with the support enabled. That means that the choice
> does no longer only have to happen at build-time.
>
> curl_global_sslset() is the new function for selecting which SSL backend to
> use. See https://curl.haxx.se/libcurl/c/curl_global_sslset.html

Should the curl_global_sslset() function really be declared in <curl/multi.h>?
I though that the include file was used solely for the libcurl multi API...

> There's also a new example showing it in use:
> https://curl.haxx.se/libcurl/c/sslbackend.html
>
> To build with multiple backends, just specify all you want on the configure
> line. Ie "--with-ssl --with-gnutls" builds with both OpenSSL *and* GnuTLS.
>
> Tell configure which backend to use by default when built to use several,
> with --with-default-ssl-backend.
>
> This is of course a rather huge change to a lot of TLS code so of course
> there's a risk that some things broke in this process even if Johannes has
> done a wonderful work on this and I've done my best in reviewing it. Please
> be extra alert for SSL related quirks in the nearest future.

If I build curl with both NSS and OpenSSL while OpenSSL being the default:

$ ./configure --with-ssl --with-nss --with-default-ssl-backend=openssl --disable-tls-srp

... NTLM authentication (e.g. in test-suite) fails with the following error:

* unable to initialize NSS, curl_global_init() should have been called with CURL_GLOBAL_SSL or CURL_GLOBAL_ALL

This is caused by using NSS for the crypto operations despite only OpenSSL
was initialized. Should the switch work for SSL only or should it work for
the low-level crypto operations, too?

I see that Curl_ssl includes hooks for md5 and sha256 but I guess it would
significantly complicate the interface if we wanted to make the crypto
backends for NTLM and the like also run-time switchable...

A lightweight solution would be to fix curl_ntlm_core.c such that it uses
crypto operations from the default SSL/crypto backend. This would fix the
breakage in the most common case. However, NTLM would still break if the
SSL backend was switched at run-time.

Kamil

> Finally, all credits for the heavy lifting here should go to Johannes
> Schindelin! Thanks!
>
> Questions?
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-08-30