curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

HTTPS using my own TLS session

From: David Woodhouse via curl-library <>
Date: Fri, 13 Sep 2019 14:13:24 +0100

OpenConnect¹ is a SSL VPN client. It needs quite fine-grained control
over the TLS connection that it makes to the VPN server, to allow for
client certificates from various sources (TPM, PKCS#11, etc.) as well
as for interoperability reasons.

I didn't want to have to write my own HTTP support, but at the time I
couldn't find any HTTP client libraries which would just let me use my
own underlying connection while they did the HTTP parts for me.

I was never happy about this, especially as I had to implement various
parts of SOCKS and HTTP proxy support and various authentication
protocols. And I wasn't looking forward to having to implement HTTP/2

Then CVE-2019-16239² happened and I'm even less happy. This is
precisely why I didn't want to have to do my own HTTP in the first

So: what would it take to use curl for HTTP while basically abusing it
from both sides? Not only do I need it to use my own underlying TLS
connection, but I also need in some cases to make a CONNECT or even GET
request which completes as soon as it has an HTTP 101 or 200 response
and immediately hands the connection back to me since it's passing
binary traffic over it then.



  • application/x-pkcs7-signature attachment: smime.p7s
Received on 2019-09-13