TODO: moved WinSSL/SChannel todo items into docs
This commit is contained in:
		
							
								
								
									
										172
									
								
								docs/TODO
									
									
									
									
									
								
							
							
						
						
									
										172
									
								
								docs/TODO
									
									
									
									
									
								
							| @@ -87,44 +87,49 @@ | ||||
|  14.1 SSL engine stuff | ||||
|  14.2 check connection | ||||
|  | ||||
|  15. SASL | ||||
|  15.1 Other authentication mechanisms | ||||
|  15.2 Add QOP support to GSSAPI authentication | ||||
|  15. WinSSL/SChannel | ||||
|  15.1 Add support for client certificate authentication | ||||
|  15.2 Add support for custom server certificate validation | ||||
|  15.3 Add support for the --ciphers option | ||||
|  | ||||
|  16. Client | ||||
|  16.1 sync | ||||
|  16.2 glob posts | ||||
|  16.3 prevent file overwriting | ||||
|  16.4 simultaneous parallel transfers | ||||
|  16.5 provide formpost headers | ||||
|  16.6 warning when setting an option | ||||
|  16. SASL | ||||
|  16.1 Other authentication mechanisms | ||||
|  16.2 Add QOP support to GSSAPI authentication | ||||
|   | ||||
|  17. Build | ||||
|  17.1 roffit | ||||
|  17. Client | ||||
|  17.1 sync | ||||
|  17.2 glob posts | ||||
|  17.3 prevent file overwriting | ||||
|  17.4 simultaneous parallel transfers | ||||
|  17.5 provide formpost headers | ||||
|  17.6 warning when setting an option | ||||
|  | ||||
|  18. Test suite | ||||
|  18.1 SSL tunnel | ||||
|  18.2 nicer lacking perl message | ||||
|  18.3 more protocols supported | ||||
|  18.4 more platforms supported | ||||
|  18.5 Add support for concurrent connections | ||||
|  18. Build | ||||
|  18.1 roffit | ||||
|  | ||||
|  19. Next SONAME bump | ||||
|  19.1 http-style HEAD output for FTP | ||||
|  19.2 combine error codes | ||||
|  19.3 extend CURLOPT_SOCKOPTFUNCTION prototype | ||||
|  19. Test suite | ||||
|  19.1 SSL tunnel | ||||
|  19.2 nicer lacking perl message | ||||
|  19.3 more protocols supported | ||||
|  19.4 more platforms supported | ||||
|  19.5 Add support for concurrent connections | ||||
|  | ||||
|  20. Next major release | ||||
|  20.1 cleanup return codes | ||||
|  20.2 remove obsolete defines | ||||
|  20.3 size_t | ||||
|  20.4 remove several functions | ||||
|  20.5 remove CURLOPT_FAILONERROR | ||||
|  20.6 remove CURLOPT_DNS_USE_GLOBAL_CACHE | ||||
|  20.7 remove progress meter from libcurl | ||||
|  20.8 remove 'curl_httppost' from public | ||||
|  20.9 have form functions use CURL handle argument | ||||
|  20.10 Add CURLOPT_MAIL_CLIENT option | ||||
|  20. Next SONAME bump | ||||
|  20.1 http-style HEAD output for FTP | ||||
|  20.2 combine error codes | ||||
|  20.3 extend CURLOPT_SOCKOPTFUNCTION prototype | ||||
|  | ||||
|  21. Next major release | ||||
|  21.1 cleanup return codes | ||||
|  21.2 remove obsolete defines | ||||
|  21.3 size_t | ||||
|  21.4 remove several functions | ||||
|  21.5 remove CURLOPT_FAILONERROR | ||||
|  21.6 remove CURLOPT_DNS_USE_GLOBAL_CACHE | ||||
|  21.7 remove progress meter from libcurl | ||||
|  21.8 remove 'curl_httppost' from public | ||||
|  21.9 have form functions use CURL handle argument | ||||
|  21.10 Add CURLOPT_MAIL_CLIENT option | ||||
|  | ||||
| ============================================================================== | ||||
|  | ||||
| @@ -490,23 +495,58 @@ Currently the SMB authentication uses NTLMv1. | ||||
|  Add a way to check if the connection seems to be alive, to correspond to the | ||||
|  SSL_peak() way we use with OpenSSL. | ||||
|  | ||||
| 15. SASL | ||||
| 15. WinSSL/SChannel | ||||
|  | ||||
| 15.1 Other authentication mechanisms | ||||
| 15.1 Add support for client certificate authentication | ||||
|  | ||||
|  WinSSL/SChannel currently makes use of the OS-level system and user | ||||
|  certificate and private key stores. This does not allow the application | ||||
|  or the user to supply a custom client certificate using curl or libcurl. | ||||
|  | ||||
|  Therefore support for the existing -E/--cert and --key options should be | ||||
|  implemented by supplying a custom certificate to the SChannel APIs, see: | ||||
|  - Getting a Certificate for Schannel | ||||
|    http://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx | ||||
|  | ||||
| 15.2 Add support for custom server certificate validation | ||||
|  | ||||
|  WinSSL/SChannel currently makes use of the OS-level system and user | ||||
|  certificate trust store. This does not allow the application or user to | ||||
|  customize the server certificate validation process using curl or libcurl. | ||||
|  | ||||
|  Therefore support for the existing --cacert or --capath options should be | ||||
|  implemented by supplying a custom certificate to the SChannel APIs, see: | ||||
|  - Getting a Certificate for Schannel | ||||
|    http://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx | ||||
|  | ||||
| 15.3 Add support for the --ciphers option | ||||
|  | ||||
|  The cipher suites used by WinSSL/SChannel are configured on an OS-level | ||||
|  instead of an application-level. This does not allow the application or | ||||
|  the user to customize the configured cipher suites using curl or libcurl. | ||||
|  | ||||
|  Therefore support for the existing --ciphers option should be implemented | ||||
|  by mapping the OpenSSL/GnuTLS cipher suites to the SChannel APIs, see | ||||
|  - Specifying Schannel Ciphers and Cipher Strengths | ||||
|    http://msdn.microsoft.com/en-us/library/windows/desktop/aa380161.aspx | ||||
|  | ||||
| 16. SASL | ||||
|  | ||||
| 16.1 Other authentication mechanisms | ||||
|  | ||||
|  Add support for other authentication mechanisms such as OLP, | ||||
|  GSS-SPNEGO and others. | ||||
|   | ||||
| 15.2 Add QOP support to GSSAPI authentication | ||||
| 16.2 Add QOP support to GSSAPI authentication | ||||
|  | ||||
|  Currently the GSSAPI authentication only supports the default QOP of auth | ||||
|  (Authentication), whilst Kerberos V5 supports both auth-int (Authentication | ||||
|  with integrity protection) and auth-conf (Authentication with integrity and | ||||
|  privacy protection). | ||||
|  | ||||
| 16. Client | ||||
| 17. Client | ||||
|  | ||||
| 16.1 sync | ||||
| 17.1 sync | ||||
|  | ||||
|  "curl --sync http://example.com/feed[1-100].rss" or | ||||
|  "curl --sync http://example.net/{index,calendar,history}.html" | ||||
| @@ -515,12 +555,12 @@ Currently the SMB authentication uses NTLMv1. | ||||
|  remote file is newer than the local file. A Last-Modified HTTP date header | ||||
|  should also be used to set the mod date on the downloaded file. | ||||
|  | ||||
| 16.2 glob posts | ||||
| 17.2 glob posts | ||||
|  | ||||
|  Globbing support for -d and -F, as in 'curl -d "name=foo[0-9]" URL'. | ||||
|  This is easily scripted though. | ||||
|  | ||||
| 16.3 prevent file overwriting | ||||
| 17.3 prevent file overwriting | ||||
|  | ||||
|  Add an option that prevents cURL from overwriting existing local files. When | ||||
|  used, and there already is an existing file with the target file name | ||||
| @@ -528,14 +568,14 @@ Currently the SMB authentication uses NTLMv1. | ||||
|  existing). So that index.html becomes first index.html.1 and then | ||||
|  index.html.2 etc. | ||||
|  | ||||
| 16.4 simultaneous parallel transfers | ||||
| 17.4 simultaneous parallel transfers | ||||
|  | ||||
|  The client could be told to use maximum N simultaneous parallel transfers and | ||||
|  then just make sure that happens. It should of course not make more than one | ||||
|  connection to the same remote host. This would require the client to use the | ||||
|  multi interface. http://curl.haxx.se/bug/feature.cgi?id=1558595 | ||||
|  | ||||
| 16.5 provide formpost headers | ||||
| 17.5 provide formpost headers | ||||
|  | ||||
|  Extending the capabilities of the multipart formposting. How about leaving | ||||
|  the ';type=foo' syntax as it is and adding an extra tag (headers) which | ||||
| @@ -549,43 +589,43 @@ Currently the SMB authentication uses NTLMv1. | ||||
|  which should overwrite the program reasonable defaults (plain/text, | ||||
|  8bit...) | ||||
|  | ||||
| 16.6 warning when setting an option | ||||
| 17.6 warning when setting an option | ||||
|  | ||||
|   Display a warning when libcurl returns an error when setting an option. | ||||
|   This can be useful to tell when support for a particular feature hasn't been | ||||
|   compiled into the library. | ||||
|  | ||||
| 17. Build | ||||
| 18. Build | ||||
|  | ||||
| 17.1 roffit | ||||
| 18.1 roffit | ||||
|  | ||||
|  Consider extending 'roffit' to produce decent ASCII output, and use that | ||||
|  instead of (g)nroff when building src/tool_hugehelp.c | ||||
|  | ||||
| 18. Test suite | ||||
| 19. Test suite | ||||
|  | ||||
| 18.1 SSL tunnel | ||||
| 19.1 SSL tunnel | ||||
|  | ||||
|  Make our own version of stunnel for simple port forwarding to enable HTTPS | ||||
|  and FTP-SSL tests without the stunnel dependency, and it could allow us to | ||||
|  provide test tools built with either OpenSSL or GnuTLS | ||||
|  | ||||
| 18.2 nicer lacking perl message | ||||
| 19.2 nicer lacking perl message | ||||
|  | ||||
|  If perl wasn't found by the configure script, don't attempt to run the tests | ||||
|  but explain something nice why it doesn't. | ||||
|  | ||||
| 18.3 more protocols supported | ||||
| 19.3 more protocols supported | ||||
|  | ||||
|  Extend the test suite to include more protocols. The telnet could just do FTP | ||||
|  or http operations (for which we have test servers). | ||||
|  | ||||
| 18.4 more platforms supported | ||||
| 19.4 more platforms supported | ||||
|  | ||||
|  Make the test suite work on more platforms. OpenBSD and Mac OS. Remove | ||||
|  fork()s and it should become even more portable. | ||||
|  | ||||
| 18.5 Add support for concurrent connections | ||||
| 19.5 Add support for concurrent connections | ||||
|  | ||||
|  Tests 836, 882 and 938 were designed to verify that separate connections aren't | ||||
|  used when using different login credentials in protocols that shouldn't re-use | ||||
| @@ -599,14 +639,14 @@ Currently the SMB authentication uses NTLMv1. | ||||
|  and thus the wait for connections loop is never entered to receive the second | ||||
|  connection. | ||||
|  | ||||
| 19. Next SONAME bump | ||||
| 20. Next SONAME bump | ||||
|  | ||||
| 19.1 http-style HEAD output for FTP | ||||
| 20.1 http-style HEAD output for FTP | ||||
|  | ||||
|  #undef CURL_FTP_HTTPSTYLE_HEAD in lib/ftp.c to remove the HTTP-style headers | ||||
|  from being output in NOBODY requests over FTP | ||||
|  | ||||
| 19.2 combine error codes | ||||
| 20.2 combine error codes | ||||
|  | ||||
|  Combine some of the error codes to remove duplicates.  The original | ||||
|  numbering should not be changed, and the old identifiers would be | ||||
| @@ -631,29 +671,29 @@ Currently the SMB authentication uses NTLMv1. | ||||
|  | ||||
|     CURLE_TFTP_PERM => CURLE_REMOTE_ACCESS_DENIED | ||||
|  | ||||
| 19.3 extend CURLOPT_SOCKOPTFUNCTION prototype | ||||
| 20.3 extend CURLOPT_SOCKOPTFUNCTION prototype | ||||
|  | ||||
|  The current prototype only provides 'purpose' that tells what the | ||||
|  connection/socket is for, but not any protocol or similar. It makes it hard | ||||
|  for applications to differentiate on TCP vs UDP and even HTTP vs FTP and | ||||
|  similar. | ||||
|  | ||||
| 20. Next major release | ||||
| 21. Next major release | ||||
|  | ||||
| 20.1 cleanup return codes | ||||
| 21.1 cleanup return codes | ||||
|  | ||||
|  curl_easy_cleanup() returns void, but curl_multi_cleanup() returns a | ||||
|  CURLMcode. These should be changed to be the same. | ||||
|  | ||||
| 20.2 remove obsolete defines | ||||
| 21.2 remove obsolete defines | ||||
|  | ||||
|  remove obsolete defines from curl/curl.h | ||||
|  | ||||
| 20.3 size_t | ||||
| 21.3 size_t | ||||
|  | ||||
|  make several functions use size_t instead of int in their APIs | ||||
|  | ||||
| 20.4 remove several functions | ||||
| 21.4 remove several functions | ||||
|  | ||||
|  remove the following functions from the public API: | ||||
|  | ||||
| @@ -674,18 +714,18 @@ Currently the SMB authentication uses NTLMv1. | ||||
|  | ||||
|  curl_multi_socket_all | ||||
|  | ||||
| 20.5 remove CURLOPT_FAILONERROR | ||||
| 21.5 remove CURLOPT_FAILONERROR | ||||
|  | ||||
|  Remove support for CURLOPT_FAILONERROR, it has gotten too kludgy and weird | ||||
|  internally. Let the app judge success or not for itself. | ||||
|  | ||||
| 20.6 remove CURLOPT_DNS_USE_GLOBAL_CACHE | ||||
| 21.6 remove CURLOPT_DNS_USE_GLOBAL_CACHE | ||||
|  | ||||
|  Remove support for a global DNS cache. Anything global is silly, and we | ||||
|  already offer the share interface for the same functionality but done | ||||
|  "right". | ||||
|  | ||||
| 20.7 remove progress meter from libcurl | ||||
| 21.7 remove progress meter from libcurl | ||||
|  | ||||
|  The internally provided progress meter output doesn't belong in the library. | ||||
|  Basically no application wants it (apart from curl) but instead applications | ||||
| @@ -695,7 +735,7 @@ Currently the SMB authentication uses NTLMv1. | ||||
|  variable types passed to it instead of doubles so that big files work | ||||
|  correctly. | ||||
|  | ||||
| 20.8 remove 'curl_httppost' from public | ||||
| 21.8 remove 'curl_httppost' from public | ||||
|  | ||||
|  curl_formadd() was made to fill in a public struct, but the fact that the | ||||
|  struct is public is never really used by application for their own advantage | ||||
| @@ -704,7 +744,7 @@ Currently the SMB authentication uses NTLMv1. | ||||
|  Changing them to return a private handle will benefit the implementation and | ||||
|  allow us much greater freedoms while still maintaining a solid API and ABI. | ||||
|  | ||||
| 20.9 have form functions use CURL handle argument | ||||
| 21.9 have form functions use CURL handle argument | ||||
|  | ||||
|  curl_formadd() and curl_formget() both currently have no CURL handle | ||||
|  argument, but both can use a callback that is set in the easy handle, and | ||||
| @@ -712,7 +752,7 @@ Currently the SMB authentication uses NTLMv1. | ||||
|  curl_easy_perform() (or similar) called - which is hard to grasp and a design | ||||
|  mistake. | ||||
|  | ||||
| 20.10 Add CURLOPT_MAIL_CLIENT option | ||||
| 21.10 Add CURLOPT_MAIL_CLIENT option | ||||
|  | ||||
|  Rather than use the URL to specify the mail client string to present in the | ||||
|  HELO and EHLO commands, libcurl should support a new CURLOPT specifically for | ||||
|   | ||||
| @@ -38,19 +38,6 @@ | ||||
|  * Thanks for code and inspiration! | ||||
|  */ | ||||
|  | ||||
| /* | ||||
|  * TODO list for TLS/SSL implementation: | ||||
|  * - implement client certificate authentication | ||||
|  * - implement custom server certificate validation | ||||
|  * - implement cipher/algorithm option | ||||
|  * | ||||
|  * Related articles on MSDN: | ||||
|  * - Getting a Certificate for Schannel | ||||
|  *   http://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx | ||||
|  * - Specifying Schannel Ciphers and Cipher Strengths | ||||
|  *   http://msdn.microsoft.com/en-us/library/windows/desktop/aa380161.aspx | ||||
|  */ | ||||
|  | ||||
| #include "curl_setup.h" | ||||
|  | ||||
| #ifdef USE_SCHANNEL | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Marc Hoersken
					Marc Hoersken