Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

RE: Fetching the detail of SSL Host verification failure

From: Basuke Suzuki via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 26 Oct 2018 17:42:39 +0000

> > 4) Use CURLINFO_SSL_VERIFYRESULT.
> >
> > Because OpenSSL returns no validation error, the field for this verify
> > result is available in the situation. When verifyhost() fails, return
> > code is unchanged from CURLE_PEER_FAILED_VERIFICATION and put newly
> > defined error code into data->set.ssl. certverifyresult which is
> > available by curl_easy_getinfo with CURLINFO_SSL_VERIFYRESULT. This
> > doesn't break existing application.
>
> This is the approach I personally prefer. Just make sure you document the
> specific error codes and for what situations they are used, as detailed as
> possible. This is the sort of thing that people soon might want for other SSL
> backends as well and then we need detailed explanations to know how to
> implement and use them there as well...

We have an internal review about this and the objection to this was that a client expects OpenSSL error code and it is confusing to return CURLcode into there. That is a reasonable point.

So counter proposal to this is that not defining new error code for CURLcode, but using a OpenSSL error code instead. There is appropriate code X509_V_ERR_HOSTNAME_MISMATCH defined for that purpose. This approach is opposite way for common code base among ssl backend, but the error code returned in the certverifyresult was already backend dependent. It seems a right choice.

What do you think? We still have other options to choose.

> 1) Simply defines new CURLE codes for each four cases and return them.
>
> This is the simple solution, but it will return different error code for existing
> application.
>
> 2) Add new option to return new error code.
>
> Define new option such as CURLOPT_SSL_VERIFYHOST_EXTENDED_RESULT to
> change the error code.
> This protects the existing application and safely extends the api.
>
> 3) Define new value to CURLOPT_SSL_VERIFYHOST.
>
> Currently 0 or 2 is set for CURLOPT_SSL_VERIFYHOST for this option. Then
> define new value 3 to return extended result code. 

----
Basuke Suzuki
Sony PlayStation
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2018-10-26