On Thu, Sep 11, 2014 at 5:14 AM, Daniel Stenberg <dan...@haxx.se> wrote: > > > Yes thanks, that'd be great! I'm sure there is or will be other interested > people.
Okay, attached a patch. I've never submitted one before, so let me know if there are any issues. :) I also had to make some changes to config-win32ce.h, but I'm assuming that's expected when building libcurl. > RC4 is insecure. To the point where we've stopped using it in general, and > it is being avoided universally where security and encryption are involved. > See http://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-02 > > The main problem with completely disabling RC4 all over tends to involve > old Windows installations, see https://www.ietf.org/mail- > archive/web/tls/current/msg11935.html > > So, you need to consider the alternatives. RC4 is known to be insecure, > but possibly less bad than what other algorithms you can choose from! > >From what I can tell, the WinCE 6 implementation of EncryptMessage() seems to be generally broken when it concerns block ciphers, and RC4 is the only cipher that I got to work...but I could be totally wrong here. Unfortunately, I haven't found any other source to support my claim, so I was hoping someone here had experience with schannel and WinCE 6. :) Here's a list of the available ciphers for WinCE 6: http://msdn.microsoft.com/en-us/library/ee498855(v=winembedded.60).aspx > - Fix an apparent bug in hostname verification for wildcard certs. For >> *. example.com from the cert, it was comparing ".example.com" instead of >> " example.com" against the server's hostname >> > > Oh, that's not just for the embedded version then is it? It sounds > significant enough that it is strange that it hasn't already been > reported... The bug I found was in verify_certificate(), which is only used in the WinCE implementation of schannel: #ifdef _WIN32_WCE /* Windows CE doesn't do any server certificate validation. We have to do it manually. */ if(data->set.ssl.verifypeer) return verify_certificate(conn, sockindex); #endif - A few small mods to allow to libcurl to build for WinCE 6 (eg, use >> send()/recv() instead of write()/read()). >> > > What? AFAIK, only minix uses write() and everything else uses send() > already (and all internals do it with swrite() which is a macro that > "hides" the real function being used). Am I wrong? This one confused me as well. curlx_read() and curlx_write() were only defined for Win32 and were implemented using read() and write(). -- Ben Sutcliffe
wince6-build-and-schannel-fixes.patch
Description: Binary data
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
