On Monday, August 28, 2017 11:22:51 PM CEST Daniel Stenberg wrote: > Hi friends! > > As of minutes ago, libcurl has the ability to change SSL backend dynamically > at run-time - if built with the support enabled. That means that the choice > does no longer only have to happen at build-time. > > curl_global_sslset() is the new function for selecting which SSL backend to > use. See https://curl.haxx.se/libcurl/c/curl_global_sslset.html
Should the curl_global_sslset() function really be declared in <curl/multi.h>? I though that the include file was used solely for the libcurl multi API... > There's also a new example showing it in use: > https://curl.haxx.se/libcurl/c/sslbackend.html > > To build with multiple backends, just specify all you want on the configure > line. Ie "--with-ssl --with-gnutls" builds with both OpenSSL *and* GnuTLS. > > Tell configure which backend to use by default when built to use several, > with --with-default-ssl-backend. > > This is of course a rather huge change to a lot of TLS code so of course > there's a risk that some things broke in this process even if Johannes has > done a wonderful work on this and I've done my best in reviewing it. Please > be extra alert for SSL related quirks in the nearest future. If I build curl with both NSS and OpenSSL while OpenSSL being the default: $ ./configure --with-ssl --with-nss --with-default-ssl-backend=openssl --disable-tls-srp ... NTLM authentication (e.g. in test-suite) fails with the following error: * unable to initialize NSS, curl_global_init() should have been called with CURL_GLOBAL_SSL or CURL_GLOBAL_ALL This is caused by using NSS for the crypto operations despite only OpenSSL was initialized. Should the switch work for SSL only or should it work for the low-level crypto operations, too? I see that Curl_ssl includes hooks for md5 and sha256 but I guess it would significantly complicate the interface if we wanted to make the crypto backends for NTLM and the like also run-time switchable... A lightweight solution would be to fix curl_ntlm_core.c such that it uses crypto operations from the default SSL/crypto backend. This would fix the breakage in the most common case. However, NTLM would still break if the SSL backend was switched at run-time. Kamil > Finally, all credits for the heavy lifting here should go to Johannes > Schindelin! Thanks! > > Questions? ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
