Re: Adding flags to SChannel cred

Sun, 28 Feb 2021 13:20:56 -0800 

At 17:11, Sat 2021-02-27, Ray Satiro via curl-library wrote:
> On 2/26/2021 2:56 PM, Morten Minde Neergaard via curl-library wrote:
[...]
> > The first thing that came to mind would be to add an option
> > CURLOPT_SSL_BACKEND_FLAGS where each backend could use these flags as
> > desired. The implementation-specific part of the patch would be like
> > this for SChannel:
> > 
> > --- a/lib/vtls/schannel.c
> > +++ b/lib/vtls/schannel.c
> > @@ -557,6 +557,8 @@ schannel_connect_step1(struct Curl_easy *data, struct 
> > connectdata *conn,
> >                      "names in server certificates.\n"));
> >       }
> > +    schannel_cred.dwFlags |= SSL_CONN_CONFIG(backend_flags);
> > +
> >       switch(conn->ssl_config.version) {
> >       case CURL_SSLVERSION_DEFAULT:
> >       case CURL_SSLVERSION_TLSv1:
[...]
> 
> 
> I've proposed two PRs to address the auto credentials issue. One would leave
> auto credentials as the default and add an option to disable it [1], and the
> other would disable auto credentials as the default (breaking change) and
> add an option to enable it [2]. Please take any discussion about it to the
> latter PR.

Cool, agree with the change. Since I'm not too familiar with the libcurl
code base, I'd hardly call my looking at the code a review, but gave it
a try nonetheless =)

> Regarding strong ciphers, CURLOPT_SSL_CIPHER_LIST [3] (--ciphers for the
> curl tool [4]) can be used with Schannel to set some algorithms but unlike
> other SSL backends it's relatively limited without ciphersuite support or
> umbrella terms like "USE_STRONG_CRYPTO". We would consider a patch for that
> to signal strong crypto.

To be clear, you're suggesting this should be possible?

  curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, "USE_STRONG_CRYPTO");

... and that would also be possible to combine with the current ALGID
stuff? Not that it's a particularly sane use case, but would this be
acceptable?

  curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST,
          
"CALG_RSA_SIGN:CALG_DH_EPHEM:CALG_AES_256:CALG_SHA_384:USE_STRONG_CRYPTO");


Kind regards,
-- 
Morten Minde Neergaard
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html

Reply via email to