cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: CURLINFO_GNUTLS_SESSION (was Re: Patch: Support CURLINFO_CERTINFO with GnuTLS)

From: Christian Grothoff <grothoff_at_in.tum.de>
Date: Tue, 15 Oct 2013 15:26:40 +0200

Hi!

Here's an improved patch that makes this (presumably) SSL-backend
independent. I only tested it with GnuTLS though, and some SSL
backends are not supported by the patch. The patch would need to
be applied on top of the 2nd patch I sent (#2 and #3 are independent
of the first patch).

I hope you like this more general evolution of the API. While I
did test this using code very much like the one supplied in the
commit message, I cannot say what happens during SSL connection
shutdown --- again, the patch expects that if the SSL connection
is shut down, the "use" flag is cleared by libcurl and/or the
handle(s) are reset to NULL.

I toyed with the idea of returning a 'union' with the precise
types from the various SSL backends instead of returning a 'void *',
but that would have tied the public curl API to the various SSL
APIs, which would have been ugly, so I think 'void *' should do
nicely for now.

Happy hacking!

Christian

On 10/12/2013 11:55 PM, Daniel Stenberg wrote:
> On Fri, 20 Sep 2013, Christian Grothoff wrote:
>
>> Here is another patch which adds the CURLINFO_GNUTLS_SESSION option to
>> curl_easy_getinfo. It exposes the GnuTLS session to clients, which is
>> useful if clients need to inspect certificate chains or other
>> properties of the TLS connection. Naturally, the option only works if
>> cURL was compiled with GnuTLS support (hence the GNUTLS in the name).
>> This patch should be completely independent from my previous patch to
>> support CURLINFO_CERTINFO with GnuTLS, and I think it is generally
>> more useful as it allows applications to access certificates via the
>> nice GnuTLS X509 APIs instead of having to parse the strings.
>
> Hi!
>
> I can see why this option can be handy. I don't really like opening up
> the API for even more SSL-library specific things so I would prefer if
> you can think of a way that can return this information in an even more
> generic way that will include information for what SSL library the
> handle concerns so that we don't end up having to add a new such option
> for every SSL library we want to allow this "extraction" for.
>
> Also, I found the code needing some comments to explain what the loop
> does and I'm also a bit concerned if this really works properly in all
> cases, like even if the SSL connection was completely shutdown previous
> to this curl_easy_getinfo() call. How much testing have you done on this?
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

text/x-patch attachment: stored

application/pgp-keys attachment: 0x48426C7E.asc

application/pgp-signature attachment: OpenPGP digital signature

Received on 2013-10-15

This message: [ Message body ]
Next message: Chiaramello Daniel: "Segmentation Fault while doing curl_easy_perform..."
Previous message: Daniel Stenberg: "Re: Failed Self Test (Mac OSX, x64)"
In reply to: Daniel Stenberg: "CURLINFO_GNUTLS_SESSION (was Re: Patch: Support CURLINFO_CERTINFO with GnuTLS)"
Next in thread: Dan Fandrich: "Re: CURLINFO_GNUTLS_SESSION (was Re: Patch: Support CURLINFO_CERTINFO with GnuTLS)"
Reply: Dan Fandrich: "Re: CURLINFO_GNUTLS_SESSION (was Re: Patch: Support CURLINFO_CERTINFO with GnuTLS)"
Reply: Christian Grothoff: "Re: CURLINFO_GNUTLS_SESSION (was Re: Patch: Support CURLINFO_CERTINFO with GnuTLS)"
Reply: Daniel Stenberg: "Re: CURLINFO_GNUTLS_SESSION (was Re: Patch: Support CURLINFO_CERTINFO with GnuTLS)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]