cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Extent of SSL support in libcurl?

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 1 Nov 2002 08:29:14 +0100 (MET)

On Thu, 31 Oct 2002, Dave Halbakken wrote:

> I just noticed this in the 7.10 TODO document:
>
> "* Add FTPS support with SSL for the data connection too. This should
> be made according to the specs written in
> draft-murray-auth-ftp-ssl-08.txt, "Securing FTP with TLS""
>
> Does this mean libcurl's data connection when using SSL is all in the clear?

It means that when you use 'FTPS' with curl, it only uses SSL for the first,
the control, connection. FTPS is not a name of any standard protocol and the
approach curl currently supports is a rather quick hack to make it work with
a ftps server that offerered exactly this mode of operation.

I know this is rather limited and the TODO item was added there since most
(or at least many) people who want a full and secure FTP server connection
want a full implementation.

> I also noticed that the current version of that ftp-ssl draft is
> draft-murray-auth-ftp-ssl-10.txt. In that draft, the use of AUTH TLS is
> recommended over the now-deprecated implicit SSL.

TLSv1 is basicly SSLv3, they're very similar. In curl terms we often talk
about SSL as a general term and it often means "SSL or TLS". The OpenSSL
library supports SSLv2, SSLv3 and TLSv1 fine.

> Does anyone know whether there is support in libcurl for AUTH TLS?

I know that there is none. I would of course like to see it added.

> Is this something I can do outside libcurl by using CURLOPT_PREQUOTE?

No. Since this will affect how connections are supposed to be made, just
adding a few commands to the FTP connection will not be sufficient to get
this working.

I'm prepared to join in and help if anyone wants to see this implemented. I
don't think I'll go ahead and implement it on my own at this point in time.

-- 
 Daniel Stenberg -- curl, cURL, Curl, CURL. Groks URLs.
-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
Received on 2002-11-01