curl-library
Re: retrieving negotiated ssl/tls version
Date: Wed, 4 Mar 2015 11:30:11 -0800
This is against curl 1.41.0 release.
Index: src/vendor/curl/docs/libcurl/symbols-in-versions
==================================================================
--- /home/bch/work/tcurl/src/vendor/curl/docs/libcurl/symbols-in-versions~0
2015-03-04 11:24:44.000000000 -0800
+++ /home/bch/work/tcurl/src/vendor/curl/docs/libcurl/symbols-in-versions
2015-03-02 10:36:09.000000000 -0800
@@ -227,6 +227,7 @@
CURLINFO_LONG 7.4.1
CURLINFO_MASK 7.4.1
CURLINFO_NAMELOOKUP_TIME 7.4.1
+CURLINFO_NEGOTIATED_SSL 7.42.0
CURLINFO_NONE 7.4.1
CURLINFO_NUM_CONNECTS 7.12.3
CURLINFO_OS_ERRNO 7.12.2
Index: src/vendor/curl/include/curl/curl.h
==================================================================
--- /home/bch/work/tcurl/src/vendor/curl/include/curl/curl.h~0
2015-03-04 11:24:44.000000000 -0800
+++ /home/bch/work/tcurl/src/vendor/curl/include/curl/curl.h
2015-03-02 17:34:03.000000000 -0800
@@ -2114,7 +2114,8 @@
CURLINFO_TLS_SESSION = CURLINFO_SLIST + 43,
/* Fill in new entries below here! */
- CURLINFO_LASTONE = 43
+ CURLINFO_NEGOTIATED_SSL = CURLINFO_LONG + 44,
+ CURLINFO_LASTONE = 44
} CURLINFO;
/* CURLINFO_RESPONSE_CODE is the new name for the option previously known as
DELETED src/vendor/curl/include/curl/curlbuild.h
Index: src/vendor/curl/lib/getinfo.c
==================================================================
--- /home/bch/work/tcurl/src/vendor/curl/lib/getinfo.c~0
2015-03-04 11:24:44.000000000 -0800
+++ /home/bch/work/tcurl/src/vendor/curl/lib/getinfo.c 2015-03-03
13:41:35.000000000 -0800
@@ -70,6 +70,7 @@
info->conn_local_ip[0] = '\0';
info->conn_primary_port = 0;
info->conn_local_port = 0;
+ info->negotiated_ssl = -1L;
return CURLE_OK;
}
@@ -137,6 +138,9 @@
case CURLINFO_HTTP_CONNECTCODE:
*param_longp = data->info.httpproxycode;
break;
+ case CURLINFO_NEGOTIATED_SSL:
+ *param_longp = data->info.negotiated_ssl;
+ break;
case CURLINFO_FILETIME:
*param_longp = data->info.filetime;
break;
Index: src/vendor/curl/lib/urldata.h
==================================================================
--- /home/bch/work/tcurl/src/vendor/curl/lib/urldata.h~0
2015-03-04 11:24:44.000000000 -0800
+++ /home/bch/work/tcurl/src/vendor/curl/lib/urldata.h 2015-03-02
17:47:29.000000000 -0800
@@ -1139,6 +1139,7 @@
struct curl_certinfo certs; /* info about the certs, only populated in
OpenSSL builds. Asked for with
CURLOPT_CERTINFO / CURLINFO_CERTINFO */
+ long negotiated_ssl; /* the version of ssl/tls that we negotiated */
};
Index: src/vendor/curl/lib/vtls/darwinssl.c
==================================================================
--- /home/bch/work/tcurl/src/vendor/curl/lib/vtls/darwinssl.c~0
2015-03-04 11:24:44.000000000 -0800
+++ /home/bch/work/tcurl/src/vendor/curl/lib/vtls/darwinssl.c
2015-03-03 13:07:26.000000000 -0800
@@ -1919,6 +1919,7 @@
(void)SSLGetNegotiatedProtocolVersion(connssl->ssl_ctx, &protocol);
switch (protocol) {
case kSSLProtocol2:
+ /* bch ref -- NEGOTIATED_SSL info here (?) */
infof(data, "SSL 2.0 connection using %s\n",
SSLCipherNameForNumber(cipher));
break;
Index: src/vendor/curl/lib/vtls/openssl.c
==================================================================
--- /home/bch/work/tcurl/src/vendor/curl/lib/vtls/openssl.c~0
2015-03-04 11:24:44.000000000 -0800
+++ /home/bch/work/tcurl/src/vendor/curl/lib/vtls/openssl.c
2015-03-03 13:40:41.000000000 -0800
@@ -1660,6 +1660,35 @@
#endif /* USE_NGHTTP2 */
+void
+set_ssl_version_long(SSL *ssl, struct connectdata *conn)
+{
+ long code=-1L; /* this happens to be CURL_SSLVERSION_DEFAULT -- nb:
we need stricter use of these enums (ref: CURL_SSLVERSION_DEFAULT = 1)
*/
+ if(ssl) {
+ switch(SSL_version(ssl)) {
+#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
+ case TLS1_2_VERSION:
+ code = CURL_SSLVERSION_TLSv1_2;
+ break;
+ case TLS1_1_VERSION:
+ code = CURL_SSLVERSION_TLSv1_1;
+ break;
+#endif
+ case TLS1_VERSION:
+ code = CURL_SSLVERSION_TLSv1;
+ break;
+ case SSL3_VERSION:
+ code = CURL_SSLVERSION_SSLv3;
+ break;
+ case SSL2_VERSION:
+ code = CURL_SSLVERSION_SSLv2;
+ break;
+ }
+ }
+ conn->data->info.negotiated_ssl = code; /* nb: the ssl instance of
struct connectdata did not have ->data -- discuss */
+ /* move this whole works to get_ssl_version_txt() (which appears to
get called w/ or wo VERBOSE) ? */
+}
+
static const char *
get_ssl_version_txt(SSL *ssl)
{
@@ -2203,6 +2232,7 @@
/* we have been connected fine, we're not waiting for anything else. */
connssl->connecting_state = ssl_connect_3;
+ set_ssl_version_long(connssl->handle, conn);
/* Informational message */
infof(data, "SSL connection using %s / %s\n",
get_ssl_version_txt(connssl->handle),
On 3/4/15, Daniel Stenberg <daniel_at_haxx.se> wrote:
> On Tue, 3 Mar 2015, bch wrote:
>
>> so, I've got a proof-of-concept (OpenSSL only, atm) ready for review.
>> What's
>> the best way to proceed from here -- is prefered to mail a patch, or issue
>> a
>> pull request on github, or ???
>
> Your choice really. I like a plain patch in a mail to this list.
>
> --
>
> / daniel.haxx.se
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-03-04