Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-library / Single Mail

curl-library

SSL/TLS support using Windows SSPI Schannel API

From: Marc Hörsken <info_at_marc-hoersken.de>
Date: Mon, 9 Apr 2012 17:30:24 +0200

Hello everyone,

this weekend I took the time to create a new SSL/TLS module für libcurl. It
is now possible to use the Windows SSPI Schannel API for SSL and TLS
connections.

The new module makes use of the existing SSPI functionality in *
curl_sspi.[ch]* and also re-uses the DLL/library context if it has been
loaded.
Basically *Curl_schannel_init* calls *Curl_sspi_global_init* and *
Curl_schannel_cleanup* calls *Curl_sspi_global_cleanup*.

More information about SSPI and the Schannel API:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa374731(v=vs.85).aspx#sspi_functions
http://msdn.microsoft.com/en-us/library/windows/desktop/ms678421(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/aa375924(v=vs.85).aspx

TLSv1, SSLv3 and SSLv2, including SNI is already supported. The following
aspects/features are still on my TODO list:

   - implement session handling and re-use
   - implement write buffering
   - implement verification options
   - implement verification results
   - implement SSL/TLS shutdown
   - special cases: negotiation, certificates, algorithms

The great news behind all this is, that it is now possible to do SSL/TLS
with curl, but without openssl on Windows. This means that the Windows
certificate store is used and there are no other dependencies which need to
be installed. (Using user supplied certificates and client-auth is on my
TODO list, but not implemented yet.)

You can find the current implementation in my fork at github.com:
https://github.com/mback2k/curl/tree/schannel
https://github.com/mback2k/curl/compare/schannel
I am not attaching patches yet, because I am still cleaning up some things
and consider the project a work-in-progress.

I also haven't modified the autotools buildscripts yet. I only added a new
option to the winbuild scripts. You can now pass WITH_SSL=schannel to them,
for example:

> nmake /f Makefile.vc mode=dll ENABLE_IDN=no WITH_SSL=schannel

I would appreciate it if some of you could start testing this and give me
feedback on functionality and code. Also I would appreciate any help
modifying the autotools scripts to make cross-compilation using mingw
possible.

That's it for now, thanks in advance and please give it a try!

Best regards,
Marc

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-04-09