Re: CURLINFO_TLS_SESSION with OPENSSL returns SSL_CTX instead of SSL

Wed, 30 Sep 2015 01:20:08 -0700 

On 9/29/2015 12:13 PM, Michael König wrote:

Hi everyone,

I got into a situation where i want to check what protocol version and cipher
was used for an SSL connection. (HTTPS)

I found CURLINFO_TLS_SESSION and it looked like it might give me access to the
information i need, but it does not. When using the OpenSSL backend
CURLINFO_TLS_SESSION returns the SSL_CTX. While the CTX contains information
that affected the creation of the SSL session. It does not contain any
information about the established connection. It contains the list of
acceptable ciphers, but not the information what cipher or protocol version was
actually used.

To probe that information from OpenSSL you need a pointer to the SSL object,
which holds the SSL_CTX and not the other way around.

Was there a reason for not returning the SSL object, or was it an oversight?
Changing the behaviour now feels like a really bad idea, due to the code
breaking potential. Is there any alternative? I did not check the other
backends as to how consistent the nature of the returned value is. I am only
somewhat familiar with CURLSSLBACKEND_SCHANNEL and could check that.
You can try using SSL_CTX_set_info_callback [1] to work with the SSL handle when the handshake is complete. I made an example [2] that shows how to read the version and cipher from the SSL handle. It doesn't take into account renegotiation. A bigger problem is afaict there is no user pointer to pass to OpenSSL for the curl handle so in the example there's no logic to tell which curl handle the SSL handle is associated with. There's probably a way around that without all sorts of trickery but I can't think of it at the moment.
I don't know why the SSL object isn't exposed. It's been proposed before, I don't remember what happened.
[1]: https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_info_callback.html 
[2]: https://gist.github.com/jay/982b70e50bdd8a86415c

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Reply via email to