OpenConnect¹ is a SSL VPN client. It needs quite fine-grained control over the TLS connection that it makes to the VPN server, to allow for client certificates from various sources (TPM, PKCS#11, etc.) as well as for interoperability reasons.
I didn't want to have to write my own HTTP support, but at the time I couldn't find any HTTP client libraries which would just let me use my own underlying connection while they did the HTTP parts for me. I was never happy about this, especially as I had to implement various parts of SOCKS and HTTP proxy support and various authentication protocols. And I wasn't looking forward to having to implement HTTP/2 support. Then CVE-2019-16239² happened and I'm even less happy. This is precisely why I didn't want to have to do my own HTTP in the first place. So: what would it take to use curl for HTTP while basically abusing it from both sides? Not only do I need it to use my own underlying TLS connection, but I also need in some cases to make a CONNECT or even GET request which completes as soon as it has an HTTP 101 or 200 response and immediately hands the connection back to me since it's passing binary traffic over it then. ¹ http://www.infradead.org/openconnect/ ² http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/875f0a65a
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html