Oscar Koeroo wrote:
> I'm trying to get a hold of Qssl/QsoSSL's API and a test machine to fix some of these limitations. If you have pointers on how to get me closer to QsoSSL (API spec and library to test or a test system) that would be appreciated. First, I hope you're aware that it's pure OS/400 dialect :-( Mmm, I would not spend too much time on it: I've already tried many things around it without success. I think QsoSSL internally uses static storage for the SSL environment: you then can get two distinct environments (cert store, app id, etc) simultaneously. There's no SNI support (GSKit introduces it in V7R1), handshake is always blocking, etc. In additionl IBM recommends using GSKit for new developments since it is supported on all IBM platforms while QsoSSL is OS/400 only. See: http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/index.jsp?topic=%2Frzab 6%2Fcssl.htm For your tests: You have to get access to an IBM AS/400 (aka iSeries or i5) computer. I'm afraid I can't give you an access on ours. QsoSSL doc: http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/rzab6/cssl2.htm GSKit doc: http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/rzab6/cgskit.htm The service programs (i.e.: equivalent to .so files) are installed within the base system. To get the source include members, you have to install C development and the QSYSINC library. If no objection arises in the meantime, my long-term intentions are to get a working GSKit backend, have a test period with QsoSSL enabled as default SSL backend (for OS400), then another period with GSKit as default, then retire QsoSSL that then, would become obsolete and useless. >> For these last 2 features, I had to duplicate code from ssluse.c and >> implement some minimalistic ASN.1/X509 processing. > Which part did you duplicate? And which version of libcurl are you using here? > The 7.28-1 has the host matching functions extracted and pushed into a separate file, > used by the axtls and OpenSSL backends. The *_certinfo_*(), verifyhost(), get_cert_chain() and corollary procedures. I've adapted them to extract data from an X509 cert without help from an external SSL library (a work in progress). And yes, I do already use existing hosts functions. Patrick ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
