cURL / Mailing Lists / curl-library / Single Mail


Re: Callback for cert verification

From: Daniel Stenberg <>
Date: Thu, 8 Jan 2009 00:55:53 +0100 (CET)

On Tue, 6 Jan 2009, Vitaliy Kulikov wrote:

Welcome to our merry little project!

> I am an engineer at Google, and this is my first email to this mailing list.
> I implemented item 7.6 of your "TODO" wish list ("Provide callback for cert
> verification"), and I would like to contribute my changes back to the
> project. Could someone point me to a list of instructions on how I can get
> my changes reviewed and submitted?

I think your description here is perfect to explain what the chances are, and
then you can just make a patch (cvs diff -u) and post it to this very list and
we'll give it a review and comments and you update the nits we find and repost
the new patch and when everything is fine and dandy we commit!

> First, I created an implementation-independent list of common SSL
> certificate error codes

> Second, I added code to save certificate [error] data as part of the
> 'ssl_connect_data' data structure every time a secure connection needs to be
> established and a new set of certificates is received from the server. I
> save every certificate in binary along with the encoding method (DER is the
> only encoding supported at the moment) and the certificate error data. If
> there are multiple certificates in the chain, I save them all (I have a
> hard-coded limit of 16 certificates per chain at the moment).

What is the purpose of the saving of the certs? Ah, is that because you
_first_ save them all and then call the verification callback(s)?

> Third, I provide a way for the client code to supply the stack with a
> callback function to be called every time a new chain of certificates
> is received and validated.

That sounds like something people have asked for. And done in a SSL-library
agnostic way is really cool!

All in all these sounds like cool additions/fixes. We're just about to enter a
two-week feature freeze so I would rather not commit anything like this until
after 7.19.3 is out, but we can still work out the details and get it
perfected in the mean time.

Received on 2009-01-08