cURL / Mailing Lists / curl-library / Single Mail

curl-library

Patch for TLS-SRP support (using GnuTLS)

From: Quinn Slack <sqs_at_cs.stanford.edu>
Date: Thu, 16 Dec 2010 15:50:06 -0600

Hi all,

I revived a proposed patch[1] by Peter Sylvester to add support
for TLS-SRP[2] (RFC 5054, mutually authenticated TLS, with
passwords instead of client/server certs). Peter's patch was
postponed because it relied on OpenSSL, which still doesn't have
TLS-SRP support (unlike GnuTLS, which now does).

My patch exposes GnuTLS's existing TLS-SRP support to cURL,
so library support is not an issue as it was with Peter's
patch. It adds 3 new options: --tlsuser, --tlspassword, and
--tlsauthtype (which defaults to SRP if tlsuser or tlspassword is
set). To be safe, it does not bypass peer verification of SSL
certs by default, so you have to explicitly disable peer
verification with -k/--insecure.

Diff: https://github.com/sqs/curl/compare/master...48763
Git: "tls-srp" branch of git://github.com/sqs/curl.git
Configure: /configure --with-gnutls --without-ssl
Run: src/curl -vvvv -k --tlsuser jsmith --tlspassword abc https://173.255.214.119
      (you can also try user "alice" with password "123")
Sample output: see bottom of email
Instructions for setting up your own Apache/mod_gnutls
     server with TLS-SRP: http://trustedhttp.org/wiki/TLS-SRP

I would appreciate feedback on this patch.
-Quinn

[1] http://curl.haxx.se/mail/lib-2004-10/0004.html
[2] http://tools.ietf.org/html/rfc5054

Sample output with Apache/mod_gnutls serving page that echoes "user is: $SSL_SRP_USER":

$ src/curl -vvvv -k --tlsuser jsmith --tlspassword abc https://tls-srp.test.trustedhttp.org
* About to connect() to tls-srp.test.trustedhttp.org port 443 (#0)
* Trying 173.255.214.119... connected
* Connected to tls-srp.test.trustedhttp.org (173.255.214.119) port 443 (#0)
* Using TLS-SRP username: jsmith
* common name: WARNING couldn't obtain
* server certificate verification SKIPPED
* compression: NULL
* cipher: AES-128-CBC
* MAC: SHA1
> GET / HTTP/1.1
> User-Agent: curl/7.21.3-DEV (x86_64-apple-darwin10.5.0) libcurl/7.21.3-DEV GnuTLS/2.10.4 zlib/1.2.5 libidn/1.19
> Host: tls-srp.test.trustedhttp.org
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 16 Dec 2010 21:41:57 GMT
< Server: Apache/2.2.16 (Ubuntu)
< Accept-Ranges: bytes
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html
<
user is: jsmith
* Connection #0 to host tls-srp.test.trustedhttp.org left intact
* Closing connection #0

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2010-12-16