curl / Mailing Lists / curl-library / Single Mail


Re: About IP resolve problem when using HTTP proxy

From: Ray Satiro <>
Date: Fri, 9 Mar 2018 14:18:35 -0500

On 3/8/2018 7:47 AM, Lessandro Mariano wrote:
> I see. I can't figure out a way to solve my use case without patching
> curl though.
> I can use CURLOPT_SSL_CTX_FUNCTION and mbedtls_ssl_conf_verify to
> manually verify the common name in the certificate returned by the
> server, however I cannot change the hostname used for SNI. This is
> because the curl ssl_ctx implementation for mbedtls passes the
> mbedtls_ssl_config object to the callback instead of
> mbedtls_ssl_context, and the hostname for SNI is configured on the
> context and not on the config (see mbedtls_ssl_set_hostname).
> It would make more sense if curl passed the mbedtls context to the
> callback because you can get the config from the context and not vice
> versa, but changing this would break backwards compatibility with
> existing code.
> Alternatively, another solution would be to add a new option that
> overrides the hostname used for ssl/sni, i.e. CURLOPT_SSL_HOSTNAME or
> similar.
> But again if there's a solution that doesn't require patching curl,
> please let me know.

The SSL context function CURLOPT_SSL_CTX_FUNCTION [1] is to allow
modification of the configuration object, not the connection specific
object that is created from it. In OpenSSL the configuration object type
is SSL_CTX and the connection object type is SSL. That is how
CURLOPT_SSL_CTX_FUNCTION got its name. Support for the mbedTLS
configuration object came later. The mbedTLS configuration object type
is mbedtls_ssl_config and the connection object type is
mbedtls_ssl_context. I understand the confusion.

To allow modification of the connection object another callback would be
something like that. Also, there was discussion a while back of adding
the ability to change the SNI [2] but there wasn't enough momentum. I
think for now you will have to patch libcurl.


Received on 2018-03-09