Implement MultiSSL in winbuild?

[Jan-E]

@weltling @cmb69
Would it be an idea to implement MultiSSL in the winbuild makefiles? I could propose a change like that in the curl upstream repo.

[Jan-E]

Here is an example patch: Jan-E@3997fc0

With this patch you can just change the ENABLE_WINSSL=no into ENABLE_WINSSL=yes in the Release build command lines. Then the default SSL lib will be OpenSSL, but that can be changed by an environment variable CURL_SSL_BACKEND into Schannel.

See https://curl.haxx.se/libcurl/c/libcurl-env.html

[Jan-E]

Example output:

C:\>set CURL_SSL_BACKEND=

C:\>curl --version
curl 7.64.1 (i386-pc-win32) libcurl/7.64.1 OpenSSL/1.0.2r (Schannel) zlib/1.2.11 WinIDN libssh2/1.8.2 nghttp2/1.38.0
Release-Date: 2019-03-27
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile MultiSSL NTLM SPNEGO SSL SSPI libz

C:\>curl --head https://nghttp2.org/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

C:\>curl --insecure --head https://nghttp2.org/
HTTP/2 200
date: Fri, 12 Apr 2019 11:54:49 GMT
content-type: text/html
last-modified: Fri, 08 Mar 2019 12:33:02 GMT
etag: "5c8260fe-19d8"
accept-ranges: bytes
content-length: 6616
x-backend-header-rtt: 0.002062
strict-transport-security: max-age=31536000
server: nghttpx
via: 2 nghttpx
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff


C:\>set CURL_SSL_BACKEND=Schannel

C:\>curl --head https://nghttp2.org/
HTTP/1.1 200 OK
Date: Fri, 12 Apr 2019 11:54:50 GMT
Content-Type: text/html
Last-Modified: Fri, 08 Mar 2019 12:33:02 GMT
Etag: "5c8260fe-19d8"
Accept-Ranges: bytes
Content-Length: 6616
X-Backend-Header-Rtt: 0.002543
Strict-Transport-Security: max-age=31536000
Server: nghttpx
Via: 2 nghttpx
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff

Note that Schannel does not support http/2

[weltling]

@Jan-E thanks for bringing this up. Why not work for better OpenSSL support instead? Having to support multiple libraries is not particularly useful from many perspectives.

Thanks.

[Jan-E]

Curl supports WINSSL out-of-the-box with no extra dependencies. I noticed that MultiSSL with OpenSSL and Schannel was already supported with the ./configure (cross-compile on Ubuntu for Windows). I just figured out what would be needed to enable that in winbuild as well.

Better OpenSSL support would be fine, but I see no way to update the curl-ca-bundle.crt automatically. Winssl has the advantage that it uses the Windows certificate store, so updates will be handled by windowsupdate.

In the Pecl mailinglist there was a discussion in the beginning of January this year with Vincent JARDIN about winssl support in php_curl.dll. If the upstream library supports it and handles all changes, then it would be a nice addition if PHP supports MultiSSL as well.

[weltling]

Better OpenSSL support would be fine, but I see no way to update the curl-ca-bundle.crt automatically. Winssl has the advantage that it uses the Windows certificate store, so updates will be handled by windowsupdate.

This is not true. Check file_get_contents('https://nghttp2.org/). OpenSSL uses the Windows certificate store internally. What do we miss to have it in ext/curl?

The addition might be nice, however the approach seems to add incomplete solution. How is it supposed to work if one needs both OpenSSL and Winssl features? Can they be mixed? OpenSSL can do same job, still, and we have zero maintanance cost on that.

Btw what do you mean Schannel doesn't support HTTP/2? Something about encryption algorythms used there? As a crypto library actually is not supposed to implement network protocols.

Thanks.

[Jan-E]

Better OpenSSL support would be fine, but I see no way to update the curl-ca-bundle.crt automatically. Winssl has the advantage that it uses the Windows certificate store, so updates will be handled by windowsupdate.

This is not true. Check file_get_contents('https://nghttp2.org/). OpenSSL uses the Windows certificate store internally. What do we miss to have it in ext/curl?

Right. I missed that one. And I really do not know what we are missing.

The addition might be nice, however the approach seems to add incomplete solution. How is it supposed to work if one needs both OpenSSL and Winssl features? Can they be mixed? OpenSSL can do same job, still, and we have zero maintanance cost on that.

This was discussed when MultiSSL was introduced: curl/curl#1601 (comment)
Quote by @bagder:

I don't think we'll be able to mix/change SSL-backend on an existing connection

/quote

Btw what do you mean Schannel doesn't support HTTP/2? Something about encryption algorythms used there? As a crypto library actually is not supposed to implement network protocols.

They should be independent, but apparently they are not. After setting CURL_SSL_BACKEND to Schannel Curl establishes a http/1.1 connection, no http/2 one. See the sample output: #13 (comment)

[Jan-E]

This is not true. Check file_get_contents('https://nghttp2.org/'). OpenSSL uses the Windows certificate store internally. What do we miss to have it in ext/curl?

Are you sure this is done by OpenSSL internally? It looks to me that it is done by the PHP openssl extension:
static int check_cert: https://github.com/php/php-src/blob/master/ext/openssl/openssl.c#L2578

At least in 2013 OpenSSL itself did not use the Windows Certificate Store:
https://groups.google.com/forum/#!topic/mailing.openssl.dev/AG3QwMNS0dM
Quote by @snhenson

A problem with using the Windows stores is which certificates to actually use.
The stores contain root CAs which should be used only for verification of
servers, clients, email and some other pruposes too. I never found out a way
using Windows APIs to extract this information. If someone knows how I'd
appreciate some pointers.

Maybe what we are missing in ext/curl is a way to export the Windows store and feed it as curl-ca-bundle.crt to the curl library. That is above my head and can only be done by someone with a thourough knowledge of the php openssl extension.

[vjardin]

One more issue I am facing with Openssl limitations on Windows: it does support the native Microsoft Winscard (smartcards) while schannel does support it. That's why curl with schannel is needed too.

[vjardin]

Regarding PHP, there are two cases for SSL:

• PHP/curl : on Windows, one should be able to use schannel so we can leverage the store and the smartcards. Even if openssl could support windows store I do not think it can support Winscard.

• PHP/ssl: it leverages a very old integration of openssl. It needs many refresh but the main one would be to support the schannel so Winscard can be used (smartcards, HSM).
  I tried to add both Winssl and openssl to PHP/SSL layer but currently I gave up since it is a very huge work so I am using PHP/Linux/Openssl/pkcs11 in order to leverage a HSM (smartcard).

[Jan-E]

@vjardin All my PHP-builds at https://www.apachelounge.com/viewtopic.php?t=6359 have WinSSL as second library now.

[vjardin]

Le 12 avril 2019 23:16:23 Jan Ehrhardt <notifications@github.com> a écrit :

@vjardin All my PHP-builds at https://www.apachelounge.com/viewtopic.php?t=6359 have WinSSL as second library now.

Great news. Please where is the git repo ?

…

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[Jan-E]

Please where is the git repo ?

For php curl: https://github.com/Jan-E/cURL-winlibs
No single repo for all the other extensions.

[vjardin]

What's about PHP SSL stream ? For example how do you manage php_register_url_stream_wrapper() for https using winssl instead of openssl ?

[Jan-E]

What's about PHP SSL stream ? For example how do you manage php_register_url_stream_wrapper() for https using winssl instead of openssl ?

No idea (yet).

[Jan-E]

PR in the upstream library: curl/curl#3772

[Jan-E]

Marged: curl/curl@79c4864

[weltling]

@Jan-E About HTTP/2 here https://support.microsoft.com/ms-my/help/4032720/how-to-deploy-custom-cipher-suite-ordering-in-windows-server-2016. Regarding the backend setting - it's not about same request, it is in the console curl.exe, but in PHP the whole process would stick to the same backend and that's not thread safe until there's no intention to switch between backends.

@vjardin Smartcard support might be an argument. However it's an additional not yet supported feature, not a bugfix. Is there some documentation, usage example and so on? Schannel in general will need a full QA round, our dev plan for 7.4 is already full. We should not just drop users in the cold water without testing it properly and without OpenSSL/Schannel having same features. Smartcard is by best not the wide spread use case, what other issues schannel has were to discover. If someone is interested to work on it, we could help with reviews and etc. for now. Otherwise you're probably good to stick with custom libcurl builds.

Thanks.

[vjardin]

SmartCard is now widely used for healthcare applications. We need to setup the SSL sessions based on some HSM from some local servers toward some regional servers. It is spreading in EU.
If needed, I can do some testing and even some bug fixing once SChannel is integrated with the SmartCards and PHP, PHP/Streams, Curl, etc... However, I do not have enough skills to bootstrap SChannel. I did try, but there are too many differences compared to OpenSSL APIs that I know quite well.

[vjardin]

I was disconnected from these topics during the last few months. I did not notice any other threads about php/curl/winssl, do I miss something ?

[cmb69]

Adding full Schannel support to PHP is out of the scope of this repo. There is already https://bugs.php.net/77505, and to push that, a PR would be welcome; maybe it also would require an RFC.