On Thu, 1 May 2014, Tomas Hajny wrote:
On 1 May 14, at 16:36, Michael Van Canneyt wrote:
On Wed, 30 Apr 2014, Dimitrios Chr. Ioannidis wrote:
Hi,
i had to add support for client side Server Name Indication (SNI) TLS
extension which is supported in OpenSSL from version 0.9.8 ( k ? ) (
http://en.wikipedia.org/wiki/Server_Name_Indication ) .
It's a trivial change ( doesn't break anything, i think ... ) so can you
review it for inclusion ?
Regarding the absense of a switch ( at least ) for the SSCtrl call i read
in the net that "... but looking at the OpenSSL code there is no harm done
calling SSL_ctrl using undefined cmd parameters. Support for the
SSL_CTRL_SET_TLSEXT_HOSTNAME can also be disabled when compiling openssl
which confirms the no harm done."
I implemented the support, but did it differently.
- Added some more missing constants
- Added Ctrl() method to TSSL object
- Added SendHostAsSNI : boolean property to TSSLHandler. By default it is set
to true.
Thanks for your addition.
Definite proof that open source is still the best way for software development.
Well, yes. Unfortunately, there's also a proof of certain open source
inefficiency if not following the open source approach fully (in
particular by forking the original source instead of pushing
improvements and extensions upstream). :-( The OpenSSL library
originally comes from Synapse. It was apparently forked by Ales
Katona back in 2006. Since then, different changes (fixes,
improvements and extensions) have been performed independently on
both sides. Would it be better if there's only one version containing
fixes from both projects (even if this version is located on two
different places)? Yes, of course, but noone takes care about this...
:-(
I had thought about this. In general, I try to take care of this concern,
since it is my concern as well.
But do not forget that synapse is also meant to be compileable with Delphi.
That complicates matters somewhat.
In this particular case I even started on a complete port of the openssl
headers (synapse contains only a part). But the openSSL code is really,
really messy. Lots of macros. So I dropped it.
As a side note:
I'm not really surprised to hear about the heartbleed bug: even C programmers
should get scared looking at the code. I was therefor glad to hear that the
BSD team started on a rewrite (libreSSL). Maybe it will result in cleaner code.
Michael.
_______________________________________________
fpc-devel maillist - [email protected]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
