Re: schannel modifications for WinCE 6
On Wed, 10 Sep 2014, Ben Sutcliffe wrote: I can submit a patch if you guys are interested Yes thanks, that'd be great! I'm sure there is or will be other interested people. curl_schannel.c: - Explicitly set cipher algorithm to RC4. Whatever the default cipher was, it wasn't working unless I was careful to pad my messages to presumably the correct block size (?). I'm guessing RC4 works since it's a stream cipher instead of a block cipher...but I don't know much about crypto. Not sure how secure RC4 is anyway...so maybe there's a better alternative. RC4 is insecure. To the point where we've stopped using it in general, and it is being avoided universally where security and encryption are involved. See http://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-02 The main problem with completely disabling RC4 all over tends to involve old Windows installations, see https://www.ietf.org/mail-archive/web/tls/current/msg11935.html So, you need to consider the alternatives. RC4 is known to be insecure, but possibly less bad than what other algorithms you can choose from! - Fix an apparent bug in hostname verification for wildcard certs. For *. example.com from the cert, it was comparing .example.com instead of example.com against the server's hostname Oh, that's not just for the embedded version then is it? It sounds significant enough that it is strange that it hasn't already been reported... - A few small mods to allow to libcurl to build for WinCE 6 (eg, use send()/recv() instead of write()/read()). What? AFAIK, only minix uses write() and everything else uses send() already (and all internals do it with swrite() which is a macro that hides the real function being used). Am I wrong? -- / daniel.haxx.se --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
Re: schannel modifications for WinCE 6
On Thu, Sep 11, 2014 at 5:14 AM, Daniel Stenberg dan...@haxx.se wrote: Yes thanks, that'd be great! I'm sure there is or will be other interested people. Okay, attached a patch. I've never submitted one before, so let me know if there are any issues. :) I also had to make some changes to config-win32ce.h, but I'm assuming that's expected when building libcurl. RC4 is insecure. To the point where we've stopped using it in general, and it is being avoided universally where security and encryption are involved. See http://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-02 The main problem with completely disabling RC4 all over tends to involve old Windows installations, see https://www.ietf.org/mail- archive/web/tls/current/msg11935.html So, you need to consider the alternatives. RC4 is known to be insecure, but possibly less bad than what other algorithms you can choose from! From what I can tell, the WinCE 6 implementation of EncryptMessage() seems to be generally broken when it concerns block ciphers, and RC4 is the only cipher that I got to work...but I could be totally wrong here. Unfortunately, I haven't found any other source to support my claim, so I was hoping someone here had experience with schannel and WinCE 6. :) Here's a list of the available ciphers for WinCE 6: http://msdn.microsoft.com/en-us/library/ee498855(v=winembedded.60).aspx - Fix an apparent bug in hostname verification for wildcard certs. For *. example.com from the cert, it was comparing .example.com instead of example.com against the server's hostname Oh, that's not just for the embedded version then is it? It sounds significant enough that it is strange that it hasn't already been reported... The bug I found was in verify_certificate(), which is only used in the WinCE implementation of schannel: #ifdef _WIN32_WCE /* Windows CE doesn't do any server certificate validation. We have to do it manually. */ if(data-set.ssl.verifypeer) return verify_certificate(conn, sockindex); #endif - A few small mods to allow to libcurl to build for WinCE 6 (eg, use send()/recv() instead of write()/read()). What? AFAIK, only minix uses write() and everything else uses send() already (and all internals do it with swrite() which is a macro that hides the real function being used). Am I wrong? This one confused me as well. curlx_read() and curlx_write() were only defined for Win32 and were implemented using read() and write(). -- Ben Sutcliffe wince6-build-and-schannel-fixes.patch Description: Binary data --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
Re: schannel modifications for WinCE 6
On 11.09.2014 um 14:57 Ben Sutcliffe wrote: - Fix an apparent bug in hostname verification for wildcard certs. For *. example.com http://example.com from the cert, it was comparing .example.com http://example.com instead of example.com http://example.com against the server's hostname Oh, that's not just for the embedded version then is it? It sounds significant enough that it is strange that it hasn't already been reported... The bug I found was in verify_certificate(), which is only used in the WinCE implementation of schannel: #ifdef _WIN32_WCE /* Windows CE doesn't do any server certificate validation. We have to do it manually. */ if(data-set.ssl.verifypeer) return verify_certificate(conn, sockindex); #endif I don't think that *.example.com should match example.com. Please see: http://en.wikipedia.org/wiki/Wildcard_certificate#Example and the RFC: http://tools.ietf.org/html/rfc6125#section-6.4.3 So the current implementation looks just fine. --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
Re: schannel modifications for WinCE 6
On Thu, 11 Sep 2014, Marc Hoersken wrote: I don't think that *.example.com should match example.com. Please see: http://en.wikipedia.org/wiki/Wildcard_certificate#Example and the RFC: http://tools.ietf.org/html/rfc6125#section-6.4.3 I agree! If that that was what fixed here I misunderstood the previous description. -- / daniel.haxx.se --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
schannel modifications for WinCE 6
Hi! Just curious if anyone else has gotten libcurl 7.37.1 working with schannel support on Windows Embedded CE 6 (ARMV4I). I had to make a few modifications in order to get it to compile and run, but I think I'm finally there. I can submit a patch if you guys are interested, but here's an overview: curl_schannel.c: - Explicitly set cipher algorithm to RC4. Whatever the default cipher was, it wasn't working unless I was careful to pad my messages to presumably the correct block size (?). I'm guessing RC4 works since it's a stream cipher instead of a block cipher...but I don't know much about crypto. Not sure how secure RC4 is anyway...so maybe there's a better alternative. - Fix an apparent bug in hostname verification for wildcard certs. For *. example.com from the cert, it was comparing .example.com instead of example.com against the server's hostname Other: - A few small mods to allow to libcurl to build for WinCE 6 (eg, use send()/recv() instead of write()/read()). Not sure if this is a general issue with WinCE 6 or just with the SDK that I'm using. Comments? -- Ben Sutcliffe --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html