curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Adding flags to SChannel cred

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Sat, 27 Feb 2021 17:11:01 -0500

On 2/26/2021 2:56 PM, Morten Minde Neergaard via curl-library wrote:
> I'm using libcurl in a project I'm doing, and I'd like to specify some
> extra flags to the SCHANNEL_CRED struct to enhance security and remove
> potential error sources:
>
> SCH_USE_STRONG_CRYPTO:
> Disables some older cipher suites.
>
> SCH_CRED_NO_DEFAULT_CREDS
> Found a TODO about this flag at
> https://curl.haxx.se/docs/todo.html#Add_option_to_disable_client_cer
>
> I'm hoping to avoid forking curl to set the flags, and was basically
> wondering how it would make sense to implement this.
>
> The first thing that came to mind would be to add an option
> CURLOPT_SSL_BACKEND_FLAGS where each backend could use these flags as
> desired. The implementation-specific part of the patch would be like
> this for SChannel:
>
> --- a/lib/vtls/schannel.c
> +++ b/lib/vtls/schannel.c
> _at__at_ -557,6 +557,8 _at__at_ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
> "names in server certificates.\n"));
> }
>
> + schannel_cred.dwFlags |= SSL_CONN_CONFIG(backend_flags);
> +
> switch(conn->ssl_config.version) {
> case CURL_SSLVERSION_DEFAULT:
> case CURL_SSLVERSION_TLSv1:
>
>
> Now, I see that this isn't particularly pretty. Is such a patch likely
> to be merged, and if not does anyone have a better way of solving this?


I've proposed two PRs to address the auto credentials issue. One would
leave auto credentials as the default and add an option to disable it
[1], and the other would disable auto credentials as the default
(breaking change) and add an option to enable it [2]. Please take any
discussion about it to the latter PR.

Regarding strong ciphers, CURLOPT_SSL_CIPHER_LIST [3] (--ciphers for the
curl tool [4]) can be used with Schannel to set some algorithms but
unlike other SSL backends it's relatively limited without ciphersuite
support or umbrella terms like "USE_STRONG_CRYPTO". We would consider a
patch for that to signal strong crypto.


[1]: https://github.com/curl/curl/pull/6672
[2]: https://github.com/curl/curl/pull/6673
[3]: https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
[4]: https://curl.se/docs/manpage.html#--ciphers

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-02-27