Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Revisiting DANE support in cURL via TLS libraries
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: John Scott via curl-library <curl-library_at_cool.haxx.se>
Date: Sat, 17 Oct 2020 12:06:00 -0400
Hello,
Adding DANE support is on the todo list [1] where it says
> An initial patch was posted by Suresh Krishnaswamy on March 7th 2013 but it was a too simple approach.
> libunbound may be the correct library to base this development on.
> Björn Stenberg wrote a separate initial take on DANE that was never completed.
However 2013 was a long time ago. Instead of reinventing the wheel with libunbound, OpenSSL [2] and GnuTLS [3] both have support for DANE validation built-in. Doing this in the TLS backend is probably right where it belongs. And since libunbound depends on Nettle its dependencies mostly overlap with GnuTLS anyway.
I don't know if this is the approach that Björn Stenberg's attempt took, and having not actually used cURL (just looking at it) I'm not volunteering to implement this, but just wanted to point it out.
[1] https://curl.haxx.se/docs/todo.html#Support_DANE
[2] https://www.openssl.org/docs/manmaster/man3/SSL_dane_enable.html
[3] https://www.gnutls.org/manual/html_node/Verifying-a-certificate-using-DANE.html
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-10-17
Date: Sat, 17 Oct 2020 12:06:00 -0400
Hello,
Adding DANE support is on the todo list [1] where it says
> An initial patch was posted by Suresh Krishnaswamy on March 7th 2013 but it was a too simple approach.
> libunbound may be the correct library to base this development on.
> Björn Stenberg wrote a separate initial take on DANE that was never completed.
However 2013 was a long time ago. Instead of reinventing the wheel with libunbound, OpenSSL [2] and GnuTLS [3] both have support for DANE validation built-in. Doing this in the TLS backend is probably right where it belongs. And since libunbound depends on Nettle its dependencies mostly overlap with GnuTLS anyway.
I don't know if this is the approach that Björn Stenberg's attempt took, and having not actually used cURL (just looking at it) I'm not volunteering to implement this, but just wanted to point it out.
[1] https://curl.haxx.se/docs/todo.html#Support_DANE
[2] https://www.openssl.org/docs/manmaster/man3/SSL_dane_enable.html
[3] https://www.gnutls.org/manual/html_node/Verifying-a-certificate-using-DANE.html
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
- application/pgp-signature attachment: This is a digitally signed message part.