Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Get SSL handle after connection has been established
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Dmitry Karpov via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 4 Nov 2024 20:14:10 +0000
It still works for mine, but I am still using 8.6.0 version where it is used (in some very special environment).
So, I am not sure about the latest libcurl versions.
It is really a hack, so it may have some unintended consequences.
(I forgot to mention that the sslVerifyCallback() should return 1)
I guess you just need to try it and see if it works in your particular case.
Thanks,
Dmitry Karpov
-----Original Message-----
From: Patrick Schlangen <patrick_at_schlangen.me>
Sent: Monday, November 4, 2024 11:51 AM
To: libcurl development <curl-library_at_lists.haxx.se>
Cc: Dmitry Karpov <dkarpov_at_roku.com>
Subject: [EXTERNAL] Re: Get SSL handle after connection has been established
Am 04.11.2024 um 20:42 schrieb Dmitry Karpov via curl-library <curl-library_at_lists.haxx.se>:
>
> Getting SSL* is a little bit tricky and hacky, so you need to be
> careful as libcurl doesn't provide a direct way to get OpenSSL handle and discourages from using it directly, especially for SSL_read/SSL_write as it may break how libcurl protocol filters work.
>
> But if you really need to go that path and planning to use SSL* only
> for extracting some certificate info, then here are the steps which you can try:
Thanks a lot for the suggestion!
> 3. In the SSL verify peer callback, you can get the SSL handle like:
>
> static int sslVerifyCallback(int valid_sig, X509_STORE_CTX* ctx) {
> auto ssl = (SSL*)(X509_STORE_CTX_get_ex_data(ctx,
> SSL_get_ex_data_X509_STORE_CTX_idx()));
> ...
> // Extract additional certificate info using OpenSSL API.
> ...
> }
Wouldn't this defeat the built-in peer verification?
Thanks,
Patrick
Date: Mon, 4 Nov 2024 20:14:10 +0000
It still works for mine, but I am still using 8.6.0 version where it is used (in some very special environment).
So, I am not sure about the latest libcurl versions.
It is really a hack, so it may have some unintended consequences.
(I forgot to mention that the sslVerifyCallback() should return 1)
I guess you just need to try it and see if it works in your particular case.
Thanks,
Dmitry Karpov
-----Original Message-----
From: Patrick Schlangen <patrick_at_schlangen.me>
Sent: Monday, November 4, 2024 11:51 AM
To: libcurl development <curl-library_at_lists.haxx.se>
Cc: Dmitry Karpov <dkarpov_at_roku.com>
Subject: [EXTERNAL] Re: Get SSL handle after connection has been established
Am 04.11.2024 um 20:42 schrieb Dmitry Karpov via curl-library <curl-library_at_lists.haxx.se>:
>
> Getting SSL* is a little bit tricky and hacky, so you need to be
> careful as libcurl doesn't provide a direct way to get OpenSSL handle and discourages from using it directly, especially for SSL_read/SSL_write as it may break how libcurl protocol filters work.
>
> But if you really need to go that path and planning to use SSL* only
> for extracting some certificate info, then here are the steps which you can try:
Thanks a lot for the suggestion!
> 3. In the SSL verify peer callback, you can get the SSL handle like:
>
> static int sslVerifyCallback(int valid_sig, X509_STORE_CTX* ctx) {
> auto ssl = (SSL*)(X509_STORE_CTX_get_ex_data(ctx,
> SSL_get_ex_data_X509_STORE_CTX_idx()));
> ...
> // Extract additional certificate info using OpenSSL API.
> ...
> }
Wouldn't this defeat the built-in peer verification?
Thanks,
Patrick
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-11-04