On Wed, Apr 23, 2014 at 8:30 AM, Daniel Stenberg <[email protected]> wrote: > On Tue, 22 Apr 2014, Nick Zitzmann wrote: > >> I've skimmed over it, and I'm reluctant to include it in the next point >> release, mainly because this is a huge change to secure code used by >> millions of people[1], and we've already learned in the past two months how >> a single line in supposedly secure code can cause a huge security hole (see >> "goto fail" and Heartbleed).
No offense, but what will change if we just sit and wait? This is a feature that is missing from cURL currently. There are also millions of people using self-signed certificates. For them the only option right now if they want to use cURL with Secure Transport is to *disable* certificate verification. I'm not sure that's a good tradeoff. >> We ought to consider this for a future release, though. Thanks for the >> patch. > > > Any suggestions on how we'd proceed to merge it? It is right now 231 new > lines of code. > > We should consider what test cases we have that would run this code, or > rather what tests we can and should add to increase our chances of detecting > problems. Test cases 310, 311, 312 and 313 already test --cacert. 313 still fails since that requires --crlfile to work too (not implemented with DarwinSSL - I plan to look into it later). These tests use an stunnel-wrapped http server, so it means we test cURL+Secure Transport against stunnel+OpenSSL using a PEM CA certificate - seems like a good integration test. I can add a few more test cases that do the same using the DER CA certificate (the patch makes sure both PEM and DER certificates are handled). > Also, once we merge it people (on Mac at least) can use clang-analyzer etc > to staticly analyze the code for possible flaws. Thanks, good idea. This is something I have not done, but I can check what scan-build says after applying the patch. > > >> it's a core component of OS X starting in Mavericks > > > I recognize that and I think it is awesome. But we also can't make that fact > scare us away from doing/adding good stuff. Plus the fact that Apple is in > fact deciding for themselves what to do with their OS and they're more than > welcome to come forward and help us test and improve things! Is the system cURL compiled with Secure Transport support on Mavericks? I only have a 10.8 box, on it it's still compiled with OpenSSL. > > -- > > / daniel.haxx.se > > ------------------------------------------------------------------- > List admin: http://cool.haxx.se/list/listinfo/curl-library > Etiquette: http://curl.haxx.se/mail/etiquette.html ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
