-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement MultiSSL in winbuild? #13
Comments
Here is an example patch: Jan-E@3997fc0 With this patch you can just change the |
Example output:
Note that Schannel does not support http/2 |
@Jan-E thanks for bringing this up. Why not work for better OpenSSL support instead? Having to support multiple libraries is not particularly useful from many perspectives. Thanks. |
Curl supports WINSSL out-of-the-box with no extra dependencies. I noticed that MultiSSL with OpenSSL and Schannel was already supported with the ./configure (cross-compile on Ubuntu for Windows). I just figured out what would be needed to enable that in winbuild as well. Better OpenSSL support would be fine, but I see no way to update the curl-ca-bundle.crt automatically. Winssl has the advantage that it uses the Windows certificate store, so updates will be handled by windowsupdate. In the Pecl mailinglist there was a discussion in the beginning of January this year with Vincent JARDIN about winssl support in php_curl.dll. If the upstream library supports it and handles all changes, then it would be a nice addition if PHP supports MultiSSL as well. |
This is not true. Check The addition might be nice, however the approach seems to add incomplete solution. How is it supposed to work if one needs both OpenSSL and Winssl features? Can they be mixed? OpenSSL can do same job, still, and we have zero maintanance cost on that. Btw what do you mean Schannel doesn't support HTTP/2? Something about encryption algorythms used there? As a crypto library actually is not supposed to implement network protocols. Thanks. |
Right. I missed that one. And I really do not know what we are missing.
This was discussed when MultiSSL was introduced: curl/curl#1601 (comment)
/quote
They should be independent, but apparently they are not. After setting CURL_SSL_BACKEND to Schannel Curl establishes a http/1.1 connection, no http/2 one. See the sample output: #13 (comment) |
Are you sure this is done by OpenSSL internally? It looks to me that it is done by the PHP openssl extension: At least in 2013 OpenSSL itself did not use the Windows Certificate Store:
Maybe what we are missing in ext/curl is a way to export the Windows store and feed it as curl-ca-bundle.crt to the curl library. That is above my head and can only be done by someone with a thourough knowledge of the php openssl extension. |
One more issue I am facing with Openssl limitations on Windows: it does support the native Microsoft Winscard (smartcards) while schannel does support it. That's why curl with schannel is needed too. |
Regarding PHP, there are two cases for SSL:
|
@vjardin All my PHP-builds at https://www.apachelounge.com/viewtopic.php?t=6359 have WinSSL as second library now. |
Le 12 avril 2019 23:16:23 Jan Ehrhardt <notifications@github.com> a écrit :
@vjardin All my PHP-builds at
https://www.apachelounge.com/viewtopic.php?t=6359 have WinSSL as second
library now.
Great news. Please where is the git repo ?
… —
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
For php curl: https://github.com/Jan-E/cURL-winlibs |
What's about PHP SSL stream ? For example how do you manage php_register_url_stream_wrapper() for https using winssl instead of openssl ? |
No idea (yet). |
PR in the upstream library: curl/curl#3772 |
Marged: curl/curl@79c4864 |
@Jan-E About HTTP/2 here https://support.microsoft.com/ms-my/help/4032720/how-to-deploy-custom-cipher-suite-ordering-in-windows-server-2016. Regarding the backend setting - it's not about same request, it is in the console @vjardin Smartcard support might be an argument. However it's an additional not yet supported feature, not a bugfix. Is there some documentation, usage example and so on? Schannel in general will need a full QA round, our dev plan for 7.4 is already full. We should not just drop users in the cold water without testing it properly and without OpenSSL/Schannel having same features. Smartcard is by best not the wide spread use case, what other issues schannel has were to discover. If someone is interested to work on it, we could help with reviews and etc. for now. Otherwise you're probably good to stick with custom libcurl builds. Thanks. |
SmartCard is now widely used for healthcare applications. We need to setup the SSL sessions based on some HSM from some local servers toward some regional servers. It is spreading in EU. |
I was disconnected from these topics during the last few months. I did not notice any other threads about php/curl/winssl, do I miss something ? |
Adding full Schannel support to PHP is out of the scope of this repo. There is already https://bugs.php.net/77505, and to push that, a PR would be welcome; maybe it also would require an RFC. |
@weltling @cmb69
Would it be an idea to implement MultiSSL in the winbuild makefiles? I could propose a change like that in the curl upstream repo.
The text was updated successfully, but these errors were encountered: