SChannel: Support SCH_USE_STRONG_CRYPTO #6734
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fixup: Match format preferences for
xim
commented
Mar 12, 2021
lib/vtls/schannel.c
Outdated
| @@ -335,6 +335,11 @@ set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers) | |||
| alg = get_alg_id_by_name(startCur); | |||
| if(alg) | |||
| algIds[algCount++] = alg; | |||
| #ifdef SCH_USE_STRONG_CRYPTO | |||
There was a problem hiding this comment.
Checks revealed that old toolchains don't provide SCH_USE_STRONG_CRYPTO. Is it better to do this, or should I rather do
#ifndef SCH_USE_STRONG_CRYPTO
#define SCH_USE_STRONG_CRYPTO 0x00400000
#endif
There was a problem hiding this comment.
should I rather do
#ifndef SCH_USE_STRONG_CRYPTO #define SCH_USE_STRONG_CRYPTO 0x00400000 #endif
yes
|
I'm happy with the patch as is, and all test failures appeared to be unrelated. Just tell me if further actions are required. |
|
It looks fine, it will be added next feature window. Ignore the test failures that's an unrelated issue. |
|
Thanks. I just landed a slightly modified version, it documents SCH_USE_STRONG_CRYPTO instead of USE_STRONG_CRYPTO but both are accepted. I did this for consistency because the other schannel cipher options use OS symbols, eg CALG_ECDH_EPHEM. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Feature was discussed on curl-library@cool.haxx.se;
Subject: Adding flags to SChannel cred.I wasn't sure about where, and to what extent, this should be documented.
Also note that I tested this by compiling curl.exe on the latest preview on windows 10. Downloading https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html with and without
--ciphers USE_STRONG_CRYPTOand diffing the results shows that 3des is correctly disabled.