curl / Mailing Lists / curl-library / Single Mail

curl-library

RE: Fetching the detail of SSL Host verification failure

From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 31 Oct 2018 13:22:43 +0100 (CET)

On Mon, 29 Oct 2018, Basuke.Suzuki_at_sony.com wrote:

> Oh my. I thought I need to return OpenSSL error code because current code
> base is doing so.
>
> https://github.com/curl/curl/blob/e97679a360dda4ea6188b09a145f73a2a84acedd/lib/vtls/openssl.c#L3325
>> lerr = *certverifyresult = SSL_get_verify_result(BACKEND->handle);

Hm, you're right of course. But this isn't documented... An interesting
situation.

Gah, why did we do it like that! I can only see that only NSS and OpenSSL ever
support this.

Okay, what about this adjusted plan:

Create a new info flag ("CURLINFO_SSL_VERIFIED" ?) that works the way I
described it, that can return certificate verification details in a SSL
backend agnostic way and we document that clearly and as preferred over
CURLINFO_SSL_VERIFYRESULT.

What do you think? (It also needs a separate proxy version.)

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2018-10-31