curl-library
RE: Fetching the detail of SSL Host verification failure
Date: Fri, 26 Oct 2018 17:42:39 +0000
> > 4) Use CURLINFO_SSL_VERIFYRESULT.
> >
> > Because OpenSSL returns no validation error, the field for this verify
> > result is available in the situation. When verifyhost() fails, return
> > code is unchanged from CURLE_PEER_FAILED_VERIFICATION and put newly
> > defined error code into data->set.ssl. certverifyresult which is
> > available by curl_easy_getinfo with CURLINFO_SSL_VERIFYRESULT. This
> > doesn't break existing application.
>
> This is the approach I personally prefer. Just make sure you document the
> specific error codes and for what situations they are used, as detailed as
> possible. This is the sort of thing that people soon might want for other SSL
> backends as well and then we need detailed explanations to know how to
> implement and use them there as well...
We have an internal review about this and the objection to this was that a client expects OpenSSL error code and it is confusing to return CURLcode into there. That is a reasonable point.
So counter proposal to this is that not defining new error code for CURLcode, but using a OpenSSL error code instead. There is appropriate code X509_V_ERR_HOSTNAME_MISMATCH defined for that purpose. This approach is opposite way for common code base among ssl backend, but the error code returned in the certverifyresult was already backend dependent. It seems a right choice.
What do you think? We still have other options to choose.
> 1) Simply defines new CURLE codes for each four cases and return them.
>
> This is the simple solution, but it will return different error code for existing
> application.
>
> 2) Add new option to return new error code.
>
> Define new option such as CURLOPT_SSL_VERIFYHOST_EXTENDED_RESULT to
> change the error code.
> This protects the existing application and safely extends the api.
>
> 3) Define new value to CURLOPT_SSL_VERIFYHOST.
>
> Currently 0 or 2 is set for CURLOPT_SSL_VERIFYHOST for this option. Then
> define new value 3 to return extended result code.
---- Basuke Suzuki Sony PlayStation ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2018-10-26