Hi all, I revived a proposed patch[1] by Peter Sylvester to add support for TLS-SRP[2] (RFC 5054, mutually authenticated TLS, with passwords instead of client/server certs). Peter's patch was postponed because it relied on OpenSSL, which still doesn't have TLS-SRP support (unlike GnuTLS, which now does).
My patch exposes GnuTLS's existing TLS-SRP support to cURL, so library support is not an issue as it was with Peter's patch. It adds 3 new options: --tlsuser, --tlspassword, and --tlsauthtype (which defaults to SRP if tlsuser or tlspassword is set). To be safe, it does not bypass peer verification of SSL certs by default, so you have to explicitly disable peer verification with -k/--insecure. Diff: https://github.com/sqs/curl/compare/master...48763 Git: "tls-srp" branch of git://github.com/sqs/curl.git Configure: /configure --with-gnutls --without-ssl Run: src/curl -vvvv -k --tlsuser jsmith --tlspassword abc https://173.255.214.119 (you can also try user "alice" with password "123") Sample output: see bottom of email Instructions for setting up your own Apache/mod_gnutls server with TLS-SRP: http://trustedhttp.org/wiki/TLS-SRP I would appreciate feedback on this patch. -Quinn [1] http://curl.haxx.se/mail/lib-2004-10/0004.html [2] http://tools.ietf.org/html/rfc5054 Sample output with Apache/mod_gnutls serving page that echoes "user is: $SSL_SRP_USER": $ src/curl -vvvv -k --tlsuser jsmith --tlspassword abc https://tls-srp.test.trustedhttp.org * About to connect() to tls-srp.test.trustedhttp.org port 443 (#0) * Trying 173.255.214.119... connected * Connected to tls-srp.test.trustedhttp.org (173.255.214.119) port 443 (#0) * Using TLS-SRP username: jsmith * common name: WARNING couldn't obtain * server certificate verification SKIPPED * compression: NULL * cipher: AES-128-CBC * MAC: SHA1 > GET / HTTP/1.1 > User-Agent: curl/7.21.3-DEV (x86_64-apple-darwin10.5.0) libcurl/7.21.3-DEV > GnuTLS/2.10.4 zlib/1.2.5 libidn/1.19 > Host: tls-srp.test.trustedhttp.org > Accept: */* > < HTTP/1.1 200 OK < Date: Thu, 16 Dec 2010 21:41:57 GMT < Server: Apache/2.2.16 (Ubuntu) < Accept-Ranges: bytes < Vary: Accept-Encoding < Transfer-Encoding: chunked < Content-Type: text/html < user is: jsmith * Connection #0 to host tls-srp.test.trustedhttp.org left intact * Closing connection #0 ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
