HTTPS using my own TLS session
Date: Fri, 13 Sep 2019 14:13:24 +0100
OpenConnect¹ is a SSL VPN client. It needs quite fine-grained control
over the TLS connection that it makes to the VPN server, to allow for
client certificates from various sources (TPM, PKCS#11, etc.) as well
as for interoperability reasons.
I didn't want to have to write my own HTTP support, but at the time I
couldn't find any HTTP client libraries which would just let me use my
own underlying connection while they did the HTTP parts for me.
I was never happy about this, especially as I had to implement various
parts of SOCKS and HTTP proxy support and various authentication
protocols. And I wasn't looking forward to having to implement HTTP/2
Then CVE-2019-16239² happened and I'm even less happy. This is
precisely why I didn't want to have to do my own HTTP in the first
So: what would it take to use curl for HTTP while basically abusing it
from both sides? Not only do I need it to use my own underlying TLS
connection, but I also need in some cases to make a CONNECT or even GET
request which completes as soon as it has an HTTP 101 or 200 response
and immediately hands the connection back to me since it's passing
binary traffic over it then.
- application/x-pkcs7-signature attachment: smime.p7s