Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Adding flags to SChannel cred
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Sat, 27 Feb 2021 17:11:01 -0500
On 2/26/2021 2:56 PM, Morten Minde Neergaard via curl-library wrote:
> I'm using libcurl in a project I'm doing, and I'd like to specify some
> extra flags to the SCHANNEL_CRED struct to enhance security and remove
> potential error sources:
>
> SCH_USE_STRONG_CRYPTO:
> Disables some older cipher suites.
>
> SCH_CRED_NO_DEFAULT_CREDS
> Found a TODO about this flag at
> https://curl.haxx.se/docs/todo.html#Add_option_to_disable_client_cer
>
> I'm hoping to avoid forking curl to set the flags, and was basically
> wondering how it would make sense to implement this.
>
> The first thing that came to mind would be to add an option
> CURLOPT_SSL_BACKEND_FLAGS where each backend could use these flags as
> desired. The implementation-specific part of the patch would be like
> this for SChannel:
>
> --- a/lib/vtls/schannel.c
> +++ b/lib/vtls/schannel.c
> _at__at_ -557,6 +557,8 _at__at_ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
> "names in server certificates.\n"));
> }
>
> + schannel_cred.dwFlags |= SSL_CONN_CONFIG(backend_flags);
> +
> switch(conn->ssl_config.version) {
> case CURL_SSLVERSION_DEFAULT:
> case CURL_SSLVERSION_TLSv1:
>
>
> Now, I see that this isn't particularly pretty. Is such a patch likely
> to be merged, and if not does anyone have a better way of solving this?
I've proposed two PRs to address the auto credentials issue. One would
leave auto credentials as the default and add an option to disable it
[1], and the other would disable auto credentials as the default
(breaking change) and add an option to enable it [2]. Please take any
discussion about it to the latter PR.
Regarding strong ciphers, CURLOPT_SSL_CIPHER_LIST [3] (--ciphers for the
curl tool [4]) can be used with Schannel to set some algorithms but
unlike other SSL backends it's relatively limited without ciphersuite
support or umbrella terms like "USE_STRONG_CRYPTO". We would consider a
patch for that to signal strong crypto.
[1]: https://github.com/curl/curl/pull/6672
[2]: https://github.com/curl/curl/pull/6673
[3]: https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
[4]: https://curl.se/docs/manpage.html#--ciphers
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-02-27
Date: Sat, 27 Feb 2021 17:11:01 -0500
On 2/26/2021 2:56 PM, Morten Minde Neergaard via curl-library wrote:
> I'm using libcurl in a project I'm doing, and I'd like to specify some
> extra flags to the SCHANNEL_CRED struct to enhance security and remove
> potential error sources:
>
> SCH_USE_STRONG_CRYPTO:
> Disables some older cipher suites.
>
> SCH_CRED_NO_DEFAULT_CREDS
> Found a TODO about this flag at
> https://curl.haxx.se/docs/todo.html#Add_option_to_disable_client_cer
>
> I'm hoping to avoid forking curl to set the flags, and was basically
> wondering how it would make sense to implement this.
>
> The first thing that came to mind would be to add an option
> CURLOPT_SSL_BACKEND_FLAGS where each backend could use these flags as
> desired. The implementation-specific part of the patch would be like
> this for SChannel:
>
> --- a/lib/vtls/schannel.c
> +++ b/lib/vtls/schannel.c
> _at__at_ -557,6 +557,8 _at__at_ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
> "names in server certificates.\n"));
> }
>
> + schannel_cred.dwFlags |= SSL_CONN_CONFIG(backend_flags);
> +
> switch(conn->ssl_config.version) {
> case CURL_SSLVERSION_DEFAULT:
> case CURL_SSLVERSION_TLSv1:
>
>
> Now, I see that this isn't particularly pretty. Is such a patch likely
> to be merged, and if not does anyone have a better way of solving this?
I've proposed two PRs to address the auto credentials issue. One would
leave auto credentials as the default and add an option to disable it
[1], and the other would disable auto credentials as the default
(breaking change) and add an option to enable it [2]. Please take any
discussion about it to the latter PR.
Regarding strong ciphers, CURLOPT_SSL_CIPHER_LIST [3] (--ciphers for the
curl tool [4]) can be used with Schannel to set some algorithms but
unlike other SSL backends it's relatively limited without ciphersuite
support or umbrella terms like "USE_STRONG_CRYPTO". We would consider a
patch for that to signal strong crypto.
[1]: https://github.com/curl/curl/pull/6672
[2]: https://github.com/curl/curl/pull/6673
[3]: https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
[4]: https://curl.se/docs/manpage.html#--ciphers
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-02-27