Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

TODO: Reordered the protocol and security sections

Moved SMTP, POP3, IMAP and New Protocol sections to be listed after the
other protocols (FTP, HTTP and TELNET) and SASL to be after SSL and
GnuTLS as these are all security related.

Additionally fixed numbering of the SSL and GnuTLS sections as they
weren't consecutive.
  • Loading branch information...
commit 90110a9be0d55a870c665aa913b97fb620657262 1 parent b0dfbf3
Steve Holme authored March 18, 2013

Showing 1 changed file with 117 additions and 119 deletions. Show diff stats Hide diff stats

  1. 236  docs/TODO
236  docs/TODO
@@ -45,41 +45,41 @@
45 45
  6.3 feature negotiation debug data
46 46
  6.4 send data in chunks
47 47
 
48  
- 7. SSL
49  
- 7.1 Disable specific versions
50  
- 7.2 Provide mutex locking API
51  
- 7.3 Evaluate SSL patches
52  
- 7.4 Cache OpenSSL contexts
53  
- 7.5 Export session ids
54  
- 7.6 Provide callback for cert verification
55  
- 7.7 Support other SSL libraries
56  
- 7.9 improve configure --with-ssl
57  
- 7.10 Support DANE
58  
-
59  
- 8. GnuTLS
60  
- 8.1 SSL engine stuff
61  
- 8.3 check connection
62  
-
63  
- 9. SMTP
64  
- 9.1 Specify the preferred authentication mechanism
65  
- 9.2 Initial response
66  
- 9.3 Pipelining
67  
- 9.4 Graceful base64 decoding failure
  48
+ 7. SMTP
  49
+ 7.1 Specify the preferred authentication mechanism
  50
+ 7.2 Initial response
  51
+ 7.3 Pipelining
  52
+ 7.4 Graceful base64 decoding failure
68 53
  
69  
- 10. POP3
70  
- 10.1 auth= in URLs
71  
- 10.2 Initial response
72  
- 10.3 Graceful base64 decoding failure
  54
+ 8. POP3
  55
+ 8.1 auth= in URLs
  56
+ 8.2 Initial response
  57
+ 8.3 Graceful base64 decoding failure
73 58
  
74  
- 11. IMAP
75  
- 11.1 auth= in URLs
76  
- 11.2 Graceful base64 decoding failure
  59
+ 9. IMAP
  60
+ 9.1 auth= in URLs
  61
+ 9.2 Graceful base64 decoding failure
77 62
  
78  
- 12. LDAP
79  
- 12.1 SASL based authentication mechanisms
  63
+ 10. LDAP
  64
+ 10.1 SASL based authentication mechanisms
80 65
  
81  
- 13. New protocols
82  
- 13.1 RSYNC
  66
+ 11. New protocols
  67
+ 11.1 RSYNC
  68
+
  69
+ 12. SSL
  70
+ 12.1 Disable specific versions
  71
+ 12.2 Provide mutex locking API
  72
+ 12.3 Evaluate SSL patches
  73
+ 12.4 Cache OpenSSL contexts
  74
+ 12.5 Export session ids
  75
+ 12.6 Provide callback for cert verification
  76
+ 12.7 Support other SSL libraries
  77
+ 12.8 improve configure --with-ssl
  78
+ 12.9 Support DANE
  79
+
  80
+ 13. GnuTLS
  81
+ 13.1 SSL engine stuff
  82
+ 13.2 check connection
83 83
 
84 84
  14. SASL
85 85
  14.1 Other authentication mechanisms
@@ -178,7 +178,6 @@
178 178
 
179 179
     http://tools.ietf.org/html/rfc6555
180 180
 
181  
-
182 181
 2. libcurl - multi interface
183 182
 
184 183
 2.1 More non-blocking
@@ -270,7 +269,6 @@
270 269
  headers use a default value so only headers that need to be moved have to be
271 270
  specified.
272 271
 
273  
-
274 272
 6. TELNET
275 273
 
276 274
 6.1 ditch stdin
@@ -295,84 +293,15 @@ to provide the data to send.
295 293
   use, but inefficient for any other.  Sent data should be sent in larger
296 294
   chunks.
297 295
 
298  
-7. SSL
299  
-
300  
-7.1 Disable specific versions
301  
-
302  
- Provide an option that allows for disabling specific SSL versions, such as
303  
- SSLv2 http://curl.haxx.se/bug/feature.cgi?id=1767276
304  
-
305  
-7.2 Provide mutex locking API
306  
-
307  
- Provide a libcurl API for setting mutex callbacks in the underlying SSL
308  
- library, so that the same application code can use mutex-locking
309  
- independently of OpenSSL or GnutTLS being used.
310  
-
311  
-7.3 Evaluate SSL patches
312  
-
313  
- Evaluate/apply Gertjan van Wingerde's SSL patches:
314  
- http://curl.haxx.se/mail/lib-2004-03/0087.html
315  
-
316  
-7.4 Cache OpenSSL contexts
317  
-
318  
- "Look at SSL cafile - quick traces look to me like these are done on every
319  
- request as well, when they should only be necessary once per ssl context (or
320  
- once per handle)". The major improvement we can rather easily do is to make
321  
- sure we don't create and kill a new SSL "context" for every request, but
322  
- instead make one for every connection and re-use that SSL context in the same
323  
- style connections are re-used. It will make us use slightly more memory but
324  
- it will libcurl do less creations and deletions of SSL contexts.
325  
-
326  
-7.5 Export session ids
327  
-
328  
- Add an interface to libcurl that enables "session IDs" to get
329  
- exported/imported. Cris Bailiff said: "OpenSSL has functions which can
330  
- serialise the current SSL state to a buffer of your choice, and recover/reset
331  
- the state from such a buffer at a later date - this is used by mod_ssl for
332  
- apache to implement and SSL session ID cache".
333  
-
334  
-7.6 Provide callback for cert verification
335  
-
336  
- OpenSSL supports a callback for customised verification of the peer
337  
- certificate, but this doesn't seem to be exposed in the libcurl APIs. Could
338  
- it be? There's so much that could be done if it were!
339  
-
340  
-7.7 Support other SSL libraries
341  
-
342  
- Make curl's SSL layer capable of using other free SSL libraries.  Such as
343  
- MatrixSSL (http://www.matrixssl.org/).
344  
-
345  
-7.9 improve configure --with-ssl
346  
-
347  
- make the configure --with-ssl option first check for OpenSSL, then GnuTLS,
348  
- then NSS...
349  
-
350  
-7.10 Support DANE
351  
-
352  
- DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL
353  
- keys and certs over DNS using DNSSEC as an alternative to the CA model.
354  
- http://www.rfc-editor.org/rfc/rfc6698.txt
355  
-
356  
-8. GnuTLS
357  
-
358  
-8.1 SSL engine stuff
359  
-
360  
- Is this even possible?
361  
-
362  
-8.3 check connection
363  
-
364  
- Add a way to check if the connection seems to be alive, to correspond to the
365  
- SSL_peak() way we use with OpenSSL.
366  
-
367  
-9. SMTP
  296
+7. SMTP
368 297
 
369  
-9.1 Specify the preferred authentication mechanism
  298
+7.1 Specify the preferred authentication mechanism
370 299
 
371 300
  Add the ability to specify the preferred authentication mechanism or a list
372 301
  of mechanisms that should be used. Not only that, but the order that is
373 302
  returned by the server during the EHLO response should be honored by curl.
374 303
 
375  
-9.2 Initial response
  304
+7.2 Initial response
376 305
 
377 306
  Add the ability for the user to specify whether the initial response is
378 307
  included in the AUTH command. Some email servers, such as Microsoft
@@ -381,53 +310,53 @@ to provide the data to send.
381 310
 
382 311
  http://curl.haxx.se/mail/lib-2012-03/0114.html
383 312
 
384  
-9.3 Pipelining
  313
+7.3 Pipelining
385 314
 
386 315
  Add support for pipelining emails.
387 316
 
388  
-9.4 Graceful base64 decoding failure
  317
+7.4 Graceful base64 decoding failure
389 318
 
390 319
  Rather than shutting down the session and returning an error when the
391 320
  decoding of a base64 encoded authentication response fails, we should
392 321
  gracefully shutdown the authentication process by sending a * response to the
393 322
  server as per RFC4954.
394 323
 
395  
-10. POP3
  324
+8. POP3
396 325
 
397  
-10.1 auth= in URLs
  326
+8.1 auth= in URLs
398 327
 
399 328
  Being able to specify the preferred authentication mechanism in the URL as
400 329
  per RFC2384.
401 330
 
402  
-10.2 Initial response
  331
+8.2 Initial response
403 332
 
404 333
  Add the ability for the user to specify whether the initial response is
405 334
  included in the AUTH command as per RFC5034.
406 335
 
407  
-10.3 Graceful base64 decoding failure
  336
+8.3 Graceful base64 decoding failure
408 337
 
409 338
  Rather than shutting down the session and returning an error when the
410 339
  decoding of a base64 encoded authentication response fails, we should
411 340
  gracefully shutdown the authentication process by sending a * response to the
412 341
  server as per RFC5034.
413 342
 
414  
-11. IMAP
  343
+9. IMAP
415 344
 
416  
-11.1 auth= in URLs
  345
+9.1 auth= in URLs
417 346
 
418 347
  Being able to specify the preferred authentication mechanism in the URL as
419 348
  per RFC5092.
420 349
 
421  
-11.2 Graceful base64 decoding failure
  350
+9.2 Graceful base64 decoding failure
422 351
 
423 352
  Rather than shutting down the session and returning an error when the
424 353
  decoding of a base64 encoded authentication response fails, we should
425 354
  gracefully shutdown the authentication process by sending a * response to the
426 355
  server as per RFC3501.
427 356
 
428  
-12. LDAP
  357
+10. LDAP
429 358
 
430  
-12.1 SASL based authentication mechanisms
  359
+10.1 SASL based authentication mechanisms
431 360
 
432 361
  Currently the LDAP module only supports ldap_simple_bind_s() in order to bind
433 362
  to an LDAP server. However, this function sends username and password details
@@ -435,18 +364,87 @@ to provide the data to send.
435 364
  be possible to use ldap_bind_s() instead specifing the security context
436 365
  information ourselves.
437 366
 
438  
-13. New protocols
  367
+11. New protocols
439 368
 
440  
-13.1 RSYNC
  369
+11.1 RSYNC
441 370
 
442 371
  There's no RFC for the protocol or an URI/URL format.  An implementation
443 372
  should most probably use an existing rsync library, such as librsync.
444 373
 
  374
+12. SSL
  375
+
  376
+12.1 Disable specific versions
  377
+
  378
+ Provide an option that allows for disabling specific SSL versions, such as
  379
+ SSLv2 http://curl.haxx.se/bug/feature.cgi?id=1767276
  380
+
  381
+12.2 Provide mutex locking API
  382
+
  383
+ Provide a libcurl API for setting mutex callbacks in the underlying SSL
  384
+ library, so that the same application code can use mutex-locking
  385
+ independently of OpenSSL or GnutTLS being used.
  386
+
  387
+12.3 Evaluate SSL patches
  388
+
  389
+ Evaluate/apply Gertjan van Wingerde's SSL patches:
  390
+ http://curl.haxx.se/mail/lib-2004-03/0087.html
  391
+
  392
+12.4 Cache OpenSSL contexts
  393
+
  394
+ "Look at SSL cafile - quick traces look to me like these are done on every
  395
+ request as well, when they should only be necessary once per ssl context (or
  396
+ once per handle)". The major improvement we can rather easily do is to make
  397
+ sure we don't create and kill a new SSL "context" for every request, but
  398
+ instead make one for every connection and re-use that SSL context in the same
  399
+ style connections are re-used. It will make us use slightly more memory but
  400
+ it will libcurl do less creations and deletions of SSL contexts.
  401
+
  402
+12.5 Export session ids
  403
+
  404
+ Add an interface to libcurl that enables "session IDs" to get
  405
+ exported/imported. Cris Bailiff said: "OpenSSL has functions which can
  406
+ serialise the current SSL state to a buffer of your choice, and recover/reset
  407
+ the state from such a buffer at a later date - this is used by mod_ssl for
  408
+ apache to implement and SSL session ID cache".
  409
+
  410
+12.6 Provide callback for cert verification
  411
+
  412
+ OpenSSL supports a callback for customised verification of the peer
  413
+ certificate, but this doesn't seem to be exposed in the libcurl APIs. Could
  414
+ it be? There's so much that could be done if it were!
  415
+
  416
+12.7 Support other SSL libraries
  417
+
  418
+ Make curl's SSL layer capable of using other free SSL libraries.  Such as
  419
+ MatrixSSL (http://www.matrixssl.org/).
  420
+
  421
+12.8 improve configure --with-ssl
  422
+
  423
+ make the configure --with-ssl option first check for OpenSSL, then GnuTLS,
  424
+ then NSS...
  425
+
  426
+12.9 Support DANE
  427
+
  428
+ DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL
  429
+ keys and certs over DNS using DNSSEC as an alternative to the CA model.
  430
+ http://www.rfc-editor.org/rfc/rfc6698.txt
  431
+
  432
+13. GnuTLS
  433
+
  434
+13.1 SSL engine stuff
  435
+
  436
+ Is this even possible?
  437
+
  438
+13.2 check connection
  439
+
  440
+ Add a way to check if the connection seems to be alive, to correspond to the
  441
+ SSL_peak() way we use with OpenSSL.
  442
+
445 443
 14. SASL
446 444
 
447 445
 14.1 Other authentication mechanisms
448 446
 
449  
- Add support for gssapi to SMTP, POP3 and IMAP.
  447
+ Add support for GSSAPI to SMTP, POP3 and IMAP.
450 448
 
451 449
 15. Client
452 450
 

0 notes on commit 90110a9

Please sign in to comment.
Something went wrong with that request. Please try again.