Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Enabled multiple SSL backends

From: Kamil Dudka via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 30 Aug 2017 10:06:02 +0200

On Monday, August 28, 2017 11:22:51 PM CEST Daniel Stenberg wrote:
> Hi friends!
>
> As of minutes ago, libcurl has the ability to change SSL backend dynamically
> at run-time - if built with the support enabled. That means that the choice
> does no longer only have to happen at build-time.
>
> curl_global_sslset() is the new function for selecting which SSL backend to
> use. See https://curl.haxx.se/libcurl/c/curl_global_sslset.html

Should the curl_global_sslset() function really be declared in <curl/multi.h>?
I though that the include file was used solely for the libcurl multi API...

> There's also a new example showing it in use:
> https://curl.haxx.se/libcurl/c/sslbackend.html
>
> To build with multiple backends, just specify all you want on the configure
> line. Ie "--with-ssl --with-gnutls" builds with both OpenSSL *and* GnuTLS.
>
> Tell configure which backend to use by default when built to use several,
> with --with-default-ssl-backend.
>
> This is of course a rather huge change to a lot of TLS code so of course
> there's a risk that some things broke in this process even if Johannes has
> done a wonderful work on this and I've done my best in reviewing it. Please
> be extra alert for SSL related quirks in the nearest future.

If I build curl with both NSS and OpenSSL while OpenSSL being the default:

$ ./configure --with-ssl --with-nss --with-default-ssl-backend=openssl --disable-tls-srp

... NTLM authentication (e.g. in test-suite) fails with the following error:

* unable to initialize NSS, curl_global_init() should have been called with CURL_GLOBAL_SSL or CURL_GLOBAL_ALL

This is caused by using NSS for the crypto operations despite only OpenSSL
was initialized. Should the switch work for SSL only or should it work for
the low-level crypto operations, too?

I see that Curl_ssl includes hooks for md5 and sha256 but I guess it would
significantly complicate the interface if we wanted to make the crypto
backends for NTLM and the like also run-time switchable...

A lightweight solution would be to fix curl_ntlm_core.c such that it uses
crypto operations from the default SSL/crypto backend. This would fix the
breakage in the most common case. However, NTLM would still break if the
SSL backend was switched at run-time.

Kamil

> Finally, all credits for the heavy lifting here should go to Johannes
> Schindelin! Thanks!
>
> Questions?
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-08-30