Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a user callback for SSL connections #685

Closed
jay opened this issue Feb 28, 2016 · 4 comments
Closed

Add a user callback for SSL connections #685

jay opened this issue Feb 28, 2016 · 4 comments
Labels
feature-request TLS

Comments

@jay
Copy link
Member

jay commented Feb 28, 2016

Currently CURLINFO_TLS_SSL_PTR and CURLINFO_TLS_SESSION return only the first active in-use SSL handle, as seen here.

for(i = 0; i < (sizeof(conn->ssl) / sizeof(conn->ssl[0])); ++i) {
  if(conn->ssl[i].use) {

There's only two sockets in that array, FIRSTSOCKET (0) and SECONDARYSOCKET (1). It would appear SECONDARYSOCKET is only for FTP and would not be in use if FIRSTSOCKET was not in use. So that would mean it is always returning the active SSL handle associated with FIRSTSOCKET and I don't see how the user could retrieve the SSL handle associated with SECONDARYSOCKET.

How important this is I'm not sure I guess it depends on what people are using this for, but if they are using it for verification I'd assume they want to verify all the SSL connections. I was thinking of changing CURLINFO_TLS_SSL_PTR to CURLINFO_TLS_SESSION_FULL and including the SECONDARYSOCKET handle, however that handle could change because the secondary socket may be open and closed multiple times (depending on how many ftp file transfers). I assume one could test for different pointer addresses for the SSL handle but the address may be reused. So that brings me to the next idea, a user callback each time an SSL connection is made.
@henrita
Copy link

henrita commented Mar 7, 2016

Isn't that what CURLOPT_SSL_CTX_FUNCTION is? https://curl.haxx.se/libcurl/c/CURLOPT_SSL_CTX_FUNCTION.html

@bagder
Copy link
Member

bagder commented Mar 18, 2016

It sounds like a good idea, but if we don't have anyone asking for this feature and nobody has an expressed desire to use it, I think we can stash the idea in the TODO list until a potential users steps forward.

jay added a commit that referenced this issue Mar 23, 2016
@jay
CURLINFO_TLS_SSL_PTR.3: Warn about limitations
949c388 
Bug: #685
@jay
Copy link
Member Author

jay commented Mar 23, 2016

Very well. I added a LIMITATIONS section in 949c388 to explain the limitations to the user and I've put a link to this issue, let's see if it's worth pursuing.

@jay jay closed this as completed Mar 23, 2016
@bartonjs
Copy link

For what it's worth, I ran into this issue from the LIMITATIONS section while trying to find a DarwinSSL equivalent to CURLOPT_SSL_CTX_FUNCTION while trying to support the DarwinSSL backend via .NET Core macOS.

Our API is designed as a mid-handshake custom validation hook (with the results of what the system validation had concluded (e.g. chain trust, hostname mismatch).

@lock lock bot locked as resolved and limited conversation to collaborators May 7, 2018
@xim xim mentioned this issue Sep 11, 2018
Closed
@curl curl unlocked this conversation Feb 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request TLS
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bagder @jay @henrita @bartonjs