On 3/8/2018 7:47 AM, Lessandro Mariano wrote: > I see. I can't figure out a way to solve my use case without patching > curl though. > > I can use CURLOPT_SSL_CTX_FUNCTION and mbedtls_ssl_conf_verify to > manually verify the common name in the certificate returned by the > server, however I cannot change the hostname used for SNI. This is > because the curl ssl_ctx implementation for mbedtls passes the > mbedtls_ssl_config object to the callback instead of > mbedtls_ssl_context, and the hostname for SNI is configured on the > context and not on the config (see mbedtls_ssl_set_hostname). > > It would make more sense if curl passed the mbedtls context to the > callback because you can get the config from the context and not vice > versa, but changing this would break backwards compatibility with > existing code. > > Alternatively, another solution would be to add a new option that > overrides the hostname used for ssl/sni, i.e. CURLOPT_SSL_HOSTNAME or > similar. > > But again if there's a solution that doesn't require patching curl, > please let me know.
The SSL context function CURLOPT_SSL_CTX_FUNCTION [1] is to allow modification of the configuration object, not the connection specific object that is created from it. In OpenSSL the configuration object type is SSL_CTX and the connection object type is SSL. That is how CURLOPT_SSL_CTX_FUNCTION got its name. Support for the mbedTLS configuration object came later. The mbedTLS configuration object type is mbedtls_ssl_config and the connection object type is mbedtls_ssl_context. I understand the confusion. To allow modification of the connection object another callback would be needed, CURLOPT_SSL_FUNCTION or a broad CURLOPT_CONNECT_FUNCTION or something like that. Also, there was discussion a while back of adding the ability to change the SNI [2] but there wasn't enough momentum. I think for now you will have to patch libcurl. [1]: https://curl.haxx.se/libcurl/c/CURLOPT_SSL_CTX_FUNCTION.html [2]: https://github.com/curl/curl/issues/607 ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
