-
-
Notifications
You must be signed in to change notification settings - Fork 6.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a user callback for SSL connections #685
Comments
Isn't that what CURLOPT_SSL_CTX_FUNCTION is? https://curl.haxx.se/libcurl/c/CURLOPT_SSL_CTX_FUNCTION.html |
It sounds like a good idea, but if we don't have anyone asking for this feature and nobody has an expressed desire to use it, I think we can stash the idea in the TODO list until a potential users steps forward. |
Very well. I added a LIMITATIONS section in 949c388 to explain the limitations to the user and I've put a link to this issue, let's see if it's worth pursuing. |
For what it's worth, I ran into this issue from the LIMITATIONS section while trying to find a DarwinSSL equivalent to CURLOPT_SSL_CTX_FUNCTION while trying to support the DarwinSSL backend via .NET Core macOS. Our API is designed as a mid-handshake custom validation hook (with the results of what the system validation had concluded (e.g. chain trust, hostname mismatch). |
Currently
CURLINFO_TLS_SSL_PTR
andCURLINFO_TLS_SESSION
return only the first active in-use SSL handle, as seen here.There's only two sockets in that array, FIRSTSOCKET (0) and SECONDARYSOCKET (1). It would appear SECONDARYSOCKET is only for FTP and would not be in use if FIRSTSOCKET was not in use. So that would mean it is always returning the active SSL handle associated with FIRSTSOCKET and I don't see how the user could retrieve the SSL handle associated with SECONDARYSOCKET.
How important this is I'm not sure I guess it depends on what people are using this for, but if they are using it for verification I'd assume they want to verify all the SSL connections. I was thinking of changing CURLINFO_TLS_SSL_PTR to CURLINFO_TLS_SESSION_FULL and including the SECONDARYSOCKET handle, however that handle could change because the secondary socket may be open and closed multiple times (depending on how many ftp file transfers). I assume one could test for different pointer addresses for the SSL handle but the address may be reused. So that brings me to the next idea, a user callback each time an SSL connection is made.
The text was updated successfully, but these errors were encountered: