cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSL validation callback

From: Peter Sylvester <peter.sylvester_at_edelweb.fr>
Date: Sun, 24 Apr 2011 18:57:45 +0200

Hi,

On 04/24/2011 01:03 PM, Daniel Stenberg wrote:
> On Wed, 20 Apr 2011, Clint Adams wrote:
>
>> I am interested in a callback for SSL connections that will work with GNUTLS or NSS. The
>> callback would need access to the X.509 certificate data retrieved from the peer (it would also
>> need to know the peer name and some other information, but I am assuming the reverse dependency
>> of libcurl can provide that information to the function itself). Its return value would
>> determine whether libcurl continued performing the transfer or aborted as if the traditional
>> certificate validation had failed.
>>
>> Is this something you'd consider viable for libcurl?
>
> Yes, that sounds like something that would fit very nicely into libcurl and that GnuTLS and NSS
> powered (anything except the OpenSSL backed ones really) libcurls are currently missing.
>
It is like opening a Pandora box. the different toolkits provide for various callbacks,
parameter setting etc. and do this in different ways, and the data are presented
in different ways. toolkits may also evolve and add new features.

a verify callback needs to understand the internals of the toolkit,
trying to hide this behind common data structures may be a nice idea
but looks like a fast hare running against (more than just two) hedgehogs.

the openssl initialisation callback permits to set toolkit dependant
parameters into whatever is the relevant anchor control block for
a new ssl connection just before it is initialized. An obvious
usage example for openssl is to register any of the callbacks, e.g.
callback, or an information callback to get a client cert ca name
list etc. or somewhat more exotic, aset the actual URL based on
some extension in the cert (see the curlx example).

I think that the openssl initialisation callback of curl can be made
available with other toolkits. there is only one pointer which must
be provided casted through a void*

regards
Peter Sylvester

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2011-04-24

This message: [ Message body ]
Next message: Daniel Stenberg: "Bug#624024: curl: Uses deprecated _set_priority GnuTLS functions (fwd)"
Previous message: Guenter: "Re: missing version info in curl_config.h"
In reply to: Daniel Stenberg: "Re: SSL validation callback"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]