wf...@niif.hu (Ferenc Wágner) writes: > Can you recommend a reliable way to decide whether there really are any > conflicts between the different OpenSSL libraries used by libcurl and > xmltooling?
I've found two code fragments which pass OpenSSL structures between curl (OpenSSL 1.1) and XMLTooling (OpenSSL 1.0) in CURLSOAPTransport.cpp: #ifdef HAVE_CURLINFO_TLS_SSL_PTR if (!ctx->m_cipherLogged) { Category& log = Category::getInstance(XMLTOOLING_LOGCAT ".SOAPTransport.CURL"); if (log.isDebugEnabled()) { struct curl_tlssessioninfo* tlsinfo = nullptr; CURLcode infocode = curl_easy_getinfo(ctx->m_handle, CURLINFO_TLS_SSL_PTR, &tlsinfo); if (infocode == CURLE_OK && tlsinfo && tlsinfo->backend == CURLSSLBACKEND_OPENSSL && tlsinfo->internals) { SSL* ssl = reinterpret_cast<SSL*>(tlsinfo->internals); const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl); log.debug("SSL version: %s, cipher: %s", SSL_get_version(ssl), cipher ? SSL_CIPHER_get_name(cipher) : "unknown"); } } ctx->m_cipherLogged = true; } #endif and xmltooling::xml_ssl_ctx_callback(CURL* curl, SSL_CTX* ssl_ctx, void* userptr) { CURLSOAPTransport* conf = reinterpret_cast<CURLSOAPTransport*>(userptr); // Default flags manually disable SSLv2 and SSLv3 so we're not dependent on libcurl // to do it. Also disable the ticket option where implemented, since this breaks a // variety of servers. Newer libcurl also does this for us. #ifdef SSL_OP_NO_TICKET SSL_CTX_set_options(ssl_ctx, conf->m_openssl_ops|SSL_OP_NO_TICKET); #else SSL_CTX_set_options(ssl_ctx, conf->m_openssl_ops); #endif #ifndef XMLTOOLING_NO_XMLSEC if (conf->m_cred) conf->m_cred->attach(ssl_ctx); if (conf->m_trustEngine) { SSL_CTX_set_verify(ssl_ctx,SSL_VERIFY_PEER,nullptr); #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) // With 0.9.7, we can pass a callback argument directly. SSL_CTX_set_cert_verify_callback(ssl_ctx,verify_callback,userptr); #else // With 0.9.6, there's no argument, so we're going to use a really embarrassing hack and // stuff the argument in the depth property where it will get copied to the context object // that's handed to the callback. SSL_CTX_set_cert_verify_callback(ssl_ctx,reinterpret_cast<int (*)()>(verify_callback),nullptr); SSL_CTX_set_verify_depth(ssl_ctx,reinterpret_cast<int>(userptr)); #endif } #endif if (conf->m_ssl_callback && !conf->m_ssl_callback(conf, ssl_ctx, conf->m_ssl_userptr)) return CURLE_SSL_CERTPROBLEM; return CURLE_OK; } So the issue isn't clear-cut at all (at least to me). Can we have libcurl4-openssl1.0-dev? Any other ideas? -- Thanks, Feri