On Mon, 13 Dec 2010, Hu, Eric wrote:
I found two very annoying traits of axTLS cert handling that don't matter
for our application, but will probably impact everyone else.
Oh yes, they are very annying. My cacert bundle does however start with the
correct 10 bytes so that's not exactly my problem.
I didn't debug my case very much yet, but attached here you will find two
additional curl patches that I've made that allow:
A) TLS connections using the "default" version which I think is "whatever
works" and makes axTLS work without explictily having been told to use
TLSv1
B) I made the command line -k work, which basically is the
CURLOPT_SSL_VERIFYPEER option that can tell libcurl to skip the cert
verfication against the cacert.
--
/ daniel.haxx.se
From cccd8d0888aa5c98a7b07f5a1bd84b0ba015d427 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <[email protected]>
Date: Wed, 15 Dec 2010 10:23:19 +0100
Subject: [PATCH 1/2] axTLS: allow "default" SSL version as well
When no explicit version is selected we should try to use whatever is
best for us, and in the axTLS case that means TLSv1.
---
lib/axtls.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/lib/axtls.c b/lib/axtls.c
index 80c3554..855b554 100644
--- a/lib/axtls.c
+++ b/lib/axtls.c
@@ -164,7 +164,12 @@ Curl_axtls_connect(struct connectdata *conn,
return CURLE_OK;
/* axTLS only supports TLSv1 */
- if(data->set.ssl.version != CURL_SSLVERSION_TLSv1) {
+ /* check to see if we've been told to use an explicit SSL/TLS version */
+ switch(data->set.ssl.version) {
+ case CURL_SSLVERSION_DEFAULT:
+ case CURL_SSLVERSION_TLSv1:
+ break;
+ default:
failf(data, "axTLS only supports TLSv1");
return CURLE_SSL_CONNECT_ERROR;
}
--
1.7.2.3
From 5bb3b7d1c08100d677baebbc3138594ddb01e9d0 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <[email protected]>
Date: Wed, 15 Dec 2010 11:11:20 +0100
Subject: [PATCH 2/2] axtls_connect: allow connect without peer verification
The SSL_SERVER_VERIFY_LATER bit in the ssl_ctx_new() call allows the
code to verify the peer certificate explicitly after the handshake and
then the "data->set.ssl.verifypeer" option works.
---
lib/axtls.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/lib/axtls.c b/lib/axtls.c
index 855b554..152de6f 100644
--- a/lib/axtls.c
+++ b/lib/axtls.c
@@ -156,7 +156,7 @@ Curl_axtls_connect(struct connectdata *conn,
const char *x509;
/* Assuming users will not compile in custom key/cert to axTLS */
- uint32_t client_option = SSL_NO_DEFAULT_KEY;
+ uint32_t client_option = SSL_NO_DEFAULT_KEY|SSL_SERVER_VERIFY_LATER;
if(conn->ssl[sockindex].state == ssl_connection_complete)
/* to make us tolerant against being called more than once for the
--
1.7.2.3
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
