Permalink
Browse files

TODO: WinSSL: 'Add option to disable client cert auto-send'

By default WinSSL selects and send a client certificate automatically,
but for privacy and consistency we should offer an option to disable the
default auto-send behavior.

Reported-by: Jeroen Ooms

Closes #2262
  • Loading branch information...
jay committed Jan 29, 2019
1 parent a9d9a3a commit 3de607415c4e54206e33f677cfdc225cd1256357
Showing with 14 additions and 0 deletions.
  1. +14 −0 docs/TODO
@@ -126,6 +126,7 @@
15. WinSSL/SChannel
15.1 Add support for client certificate authentication
15.3 Add support for the --ciphers option
15.4 Add option to disable client certificate auto-send

16. SASL
16.1 Other authentication mechanisms
@@ -876,6 +877,19 @@ that doesn't exist on the server, just like --ftp-create-dirs.
- Specifying Schannel Ciphers and Cipher Strengths
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380161.aspx

15.4 Add option to disable client certificate auto-send

Microsoft says "By default, Schannel will, with no notification to the client,
attempt to locate a client certificate and send it to the server." That could
be considered a privacy violation and unexpected.

Some Windows users have come to expect that default behavior and to change the
default to make it consistent with other SSL backends would be a breaking
change. An option should be added that can be used to disable the default
Schannel auto-send behavior.

https://github.com/curl/curl/issues/2262

16. SASL

16.1 Other authentication mechanisms

0 comments on commit 3de6074

Please sign in to comment.