Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Adding flags to SChannel cred
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Morten Minde Neergaard via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 26 Feb 2021 20:56:29 +0100
Hi,
I'm using libcurl in a project I'm doing, and I'd like to specify some
extra flags to the SCHANNEL_CRED struct to enhance security and remove
potential error sources:
SCH_USE_STRONG_CRYPTO:
Disables some older cipher suites.
SCH_CRED_NO_DEFAULT_CREDS
Found a TODO about this flag at
https://curl.haxx.se/docs/todo.html#Add_option_to_disable_client_cer
I'm hoping to avoid forking curl to set the flags, and was basically
wondering how it would make sense to implement this.
The first thing that came to mind would be to add an option
CURLOPT_SSL_BACKEND_FLAGS where each backend could use these flags as
desired. The implementation-specific part of the patch would be like
this for SChannel:
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
_at__at_ -557,6 +557,8 _at__at_ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
"names in server certificates.\n"));
}
+ schannel_cred.dwFlags |= SSL_CONN_CONFIG(backend_flags);
+
switch(conn->ssl_config.version) {
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
Now, I see that this isn't particularly pretty. Is such a patch likely
to be merged, and if not does anyone have a better way of solving this?
Kind regards,
Date: Fri, 26 Feb 2021 20:56:29 +0100
Hi,
I'm using libcurl in a project I'm doing, and I'd like to specify some
extra flags to the SCHANNEL_CRED struct to enhance security and remove
potential error sources:
SCH_USE_STRONG_CRYPTO:
Disables some older cipher suites.
SCH_CRED_NO_DEFAULT_CREDS
Found a TODO about this flag at
https://curl.haxx.se/docs/todo.html#Add_option_to_disable_client_cer
I'm hoping to avoid forking curl to set the flags, and was basically
wondering how it would make sense to implement this.
The first thing that came to mind would be to add an option
CURLOPT_SSL_BACKEND_FLAGS where each backend could use these flags as
desired. The implementation-specific part of the patch would be like
this for SChannel:
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
_at__at_ -557,6 +557,8 _at__at_ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
"names in server certificates.\n"));
}
+ schannel_cred.dwFlags |= SSL_CONN_CONFIG(backend_flags);
+
switch(conn->ssl_config.version) {
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
Now, I see that this isn't particularly pretty. Is such a patch likely
to be merged, and if not does anyone have a better way of solving this?
Kind regards,
-- Morten Minde Neergaard ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2021-02-26