Bugs item #1924441, was opened at 2008-03-24 16:59
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=1924441&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: SSL/TLS
Group: portability problem
>Status: Pending
>Resolution: Later
Priority: 5
Private: No
Submitted By: Scott Cantor (scantor)
Assigned to: Daniel Stenberg (bagder)
Summary: SSL callback option with NSS-linked libcurl

Initial Comment:
I got a report that Fedora is now linking libcurl to NSS instead of OpenSSL, and I think there's a portability issue for applications using the SSL context callback option, since at least the OpenSSL version of that feature uses an OpenSSL-specific structure.

I think the NSS implementation may just not support the callback option yet, but I'm not sure because the code was failing a bit earlier, when setting the allowable cipher suites.

Regardless, if it had run, it would have crashed, and that's not good either.

I would say that use of the context option might need some kind of way to protect against this, but I'm not sure what to suggest yet.

Perhaps there needs to be an option added to "set" the allowable SSL implementation(s) so that code that's using non-portable options can detect a failure at runtime during curl handle setup and fail out before the code just breaks during a connection.

----------------------------------------------------------------------

>Comment By: Daniel Stenberg (bagder)
Date: 2008-03-24 22:43

Message:
Logged In: YES
user_id=1110
Originator: NO

Thanks for your report!

The CURLOPT_SSL_CTX_FUNCTION dependency on OpenSSL is well known although
possibly not properly documented. It can of course be seen as a bug, but
one that we've known about since the day we added support for other libs
(April 2005). Only the OpenSSL-powered code in libcurl can call that
callback. We're open for discussions on how to fix this situation in a good
manner, but I think this is better kept on the curl-library mailing list
than in a bug tracker entry.

And instead of "an option added to set the allowable SSL
implementation(s)" I would rather applications could use
curl_version_info() to extract that info and take action based on the
returned data.

Taken everything this into account, this bug entry will be closed marked
"later" unless you or anyone else either points out any serious problem
with this approach or steps up and makes these changes start to happen.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=1924441&group_id=976
Received on 2008-03-24