cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: CURLINFO_TLS_SESSION with OPENSSL returns SSL_CTX instead of SSL

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 30 Sep 2015 04:14:10 -0400

On 9/29/2015 12:13 PM, Michael König wrote:
> Hi everyone,
>
> I got into a situation where i want to check what protocol version and cipher
> was used for an SSL connection. (HTTPS)
>
> I found CURLINFO_TLS_SESSION and it looked like it might give me access to the
> information i need, but it does not. When using the OpenSSL backend
> CURLINFO_TLS_SESSION returns the SSL_CTX. While the CTX contains information
> that affected the creation of the SSL session. It does not contain any
> information about the established connection. It contains the list of
> acceptable ciphers, but not the information what cipher or protocol version was
> actually used.
>
> To probe that information from OpenSSL you need a pointer to the SSL object,
> which holds the SSL_CTX and not the other way around.
>
> Was there a reason for not returning the SSL object, or was it an oversight?
> Changing the behaviour now feels like a really bad idea, due to the code
> breaking potential. Is there any alternative? I did not check the other
> backends as to how consistent the nature of the returned value is. I am only
> somewhat familiar with CURLSSLBACKEND_SCHANNEL and could check that.

You can try using SSL_CTX_set_info_callback [1] to work with the SSL
handle when the handshake is complete. I made an example [2] that shows
how to read the version and cipher from the SSL handle. It doesn't take
into account renegotiation. A bigger problem is afaict there is no user
pointer to pass to OpenSSL for the curl handle so in the example there's
no logic to tell which curl handle the SSL handle is associated with.
There's probably a way around that without all sorts of trickery but I
can't think of it at the moment.

I don't know why the SSL object isn't exposed. It's been proposed
before, I don't remember what happened.

[1]:
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_info_callback.html
[2]: https://gist.github.com/jay/982b70e50bdd8a86415c

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-09-30

This message: [ Message body ]
Next message: Thorsten Schöning: "Unresolved Curl_ipv4_resolve_r with USE_IPV6=1"
Previous message: Daniel Stenberg: "Re: Access violation in dprintf_formatf (on 100% progress?)"
In reply to: Michael König: "CURLINFO_TLS_SESSION with OPENSSL returns SSL_CTX instead of SSL"
Next in thread: Daniel Stenberg: "Re: CURLINFO_TLS_SESSION with OPENSSL returns SSL_CTX instead of SSL"
Reply: Daniel Stenberg: "Re: CURLINFO_TLS_SESSION with OPENSSL returns SSL_CTX instead of SSL"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]