[fpc-devel] https support; call for testers
Michael Van Canneyt
michael at freepascal.org
Thu May 1 17:52:49 CEST 2014
On Thu, 1 May 2014, Tomas Hajny wrote:
> On 1 May 14, at 16:36, Michael Van Canneyt wrote:
>> On Wed, 30 Apr 2014, Dimitrios Chr. Ioannidis wrote:
>>
>>> Hi,
>>>
>>> i had to add support for client side Server Name Indication (SNI) TLS
>>> extension which is supported in OpenSSL from version 0.9.8 ( k ? ) (
>>> http://en.wikipedia.org/wiki/Server_Name_Indication ) .
>>>
>>> It's a trivial change ( doesn't break anything, i think ... ) so can you
>>> review it for inclusion ?
>>>
>>> Regarding the absense of a switch ( at least ) for the SSCtrl call i read
>>> in the net that "... but looking at the OpenSSL code there is no harm done
>>> calling SSL_ctrl using undefined cmd parameters. Support for the
>>> SSL_CTRL_SET_TLSEXT_HOSTNAME can also be disabled when compiling openssl
>>> which confirms the no harm done."
>>
>> I implemented the support, but did it differently.
>> - Added some more missing constants
>> - Added Ctrl() method to TSSL object
>> - Added SendHostAsSNI : boolean property to TSSLHandler. By default it is set to true.
>>
>> Thanks for your addition.
>> Definite proof that open source is still the best way for software development.
>
> Well, yes. Unfortunately, there's also a proof of certain open source
> inefficiency if not following the open source approach fully (in
> particular by forking the original source instead of pushing
> improvements and extensions upstream). :-( The OpenSSL library
> originally comes from Synapse. It was apparently forked by Ales
> Katona back in 2006. Since then, different changes (fixes,
> improvements and extensions) have been performed independently on
> both sides. Would it be better if there's only one version containing
> fixes from both projects (even if this version is located on two
> different places)? Yes, of course, but noone takes care about this...
> :-(
I had thought about this. In general, I try to take care of this concern,
since it is my concern as well.
But do not forget that synapse is also meant to be compileable with Delphi.
That complicates matters somewhat.
In this particular case I even started on a complete port of the openssl
headers (synapse contains only a part). But the openSSL code is really,
really messy. Lots of macros. So I dropped it.
As a side note:
I'm not really surprised to hear about the heartbleed bug: even C programmers
should get scared looking at the code. I was therefor glad to hear that the
BSD team started on a rewrite (libreSSL). Maybe it will result in cleaner code.
Michael.
More information about the fpc-devel
mailing list