Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Get SSL handle after connection has been established
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Patrick Schlangen via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 4 Nov 2024 19:50:58 +0000
Am 04.11.2024 um 20:42 schrieb Dmitry Karpov via curl-library <curl-library_at_lists.haxx.se>:
>
> Getting SSL* is a little bit tricky and hacky, so you need to be careful as libcurl doesn't provide a direct way to get OpenSSL handle
> and discourages from using it directly, especially for SSL_read/SSL_write as it may break how libcurl protocol filters work.
>
> But if you really need to go that path and planning to use SSL* only for extracting some certificate info,
> then here are the steps which you can try:
Thanks a lot for the suggestion!
> 3. In the SSL verify peer callback, you can get the SSL handle like:
>
> static int sslVerifyCallback(int valid_sig, X509_STORE_CTX* ctx) {
> auto ssl = (SSL*)(X509_STORE_CTX_get_ex_data(ctx,
> SSL_get_ex_data_X509_STORE_CTX_idx()));
> ...
> // Extract additional certificate info using OpenSSL API.
> ...
> }
Wouldn't this defeat the built-in peer verification?
Thanks,
Patrick
Date: Mon, 4 Nov 2024 19:50:58 +0000
Am 04.11.2024 um 20:42 schrieb Dmitry Karpov via curl-library <curl-library_at_lists.haxx.se>:
>
> Getting SSL* is a little bit tricky and hacky, so you need to be careful as libcurl doesn't provide a direct way to get OpenSSL handle
> and discourages from using it directly, especially for SSL_read/SSL_write as it may break how libcurl protocol filters work.
>
> But if you really need to go that path and planning to use SSL* only for extracting some certificate info,
> then here are the steps which you can try:
Thanks a lot for the suggestion!
> 3. In the SSL verify peer callback, you can get the SSL handle like:
>
> static int sslVerifyCallback(int valid_sig, X509_STORE_CTX* ctx) {
> auto ssl = (SSL*)(X509_STORE_CTX_get_ex_data(ctx,
> SSL_get_ex_data_X509_STORE_CTX_idx()));
> ...
> // Extract additional certificate info using OpenSSL API.
> ...
> }
Wouldn't this defeat the built-in peer verification?
Thanks,
Patrick
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-11-04