Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Issues implementing an async certificate validation engine

From: Valerio Di Gregorio \(vadigreg\) via curl-library <curl-library_at_cool.haxx.se>
Date: Tue, 11 Feb 2020 17:17:26 +0000

Hello,
This is my first post here, I need some help with certificate validation. I used curl multi interface and CURLOPT_SSL_CTX_FUNCTION so that I can use SSL_CTX_set_cert_verify_callback() and SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ASYNC) to provide my own implementation of an async certificate validation engine. Such implementation uses IPCs to delegate certificate validation to another process. The idea is (pseudo code follows):

// this happens in process #1 in my_cert_verify_callback()
do_ssl_stuff();
pipe_read_fd, pipe_write_fd = create_pipe_for_validation_result();
async_validation_request(pipe_write_fd, cert, cert_len); // this requests cert validation to process #2 via IPC
printf("pause");
ASYNC_pause_job();
printf("resume");
read(pipe_read_fd, &validation_result, sizeof(validation_result));

When async response comes in, via IPC, what I do is:

// this happens in process #1
write(pipe_write_fd, &status, sizeof(status));

I see 2 different issues with this:

  1. ASYNC_pause_job() can wake up before write(). It will then block on the read(), which is too bad in my single-threaded code.
  2. I fixed case 1 by making read() non-blocking, I then run ASYNC_pause_job() again and again until write() is actually performed. So now I hit another issue. Time between printf("pause") and write() is ~100/200 milliseconds. However time between write() and printf("resume") is usually ~4.5 seconds and this way too much.

My understanding is that ASYNC_start_job() has to be called again by libcurl to resume the async job. This generally happen in SSL I/O calls like SSL_Read/Write. Matt from OpenSSL mailing-list told me: "When your application knows that the callback is ready to continue it must ensure that whatever OpenSSL I/O operation was in progress prior to the pause is then invoked again.". Do you know of any libcurl function I can call to resume the SSL async job?
Many thanks, any help would be much appreciated.

Kind Regards,
Valerio Di Gregorio

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-02-11