« MonkeyBread Software … | Home | Amazon S3 and other s… »

CURL conference


This weekend I participated in the CURL conference in Nuremberg.
It’s great to finally meet the people behind CURL and learn bow all came together and what direction they want to go. We had over a dozen interesting presentations and I learnt a lot about HTTP/2, SSL security and how people use CURL in various ways.

One of the things I learnt from a nice fellow is how to load the system certificates on Windows. I even found similar code for macOS, so next plugins can use system certificates.

So we have now 4 ways to handle SSL security:
  • Ignore it and accept all certificates.
    OptionVerifyPeer = 0 and OptionVerifyHost = 0
    No verification is done and middle man attack is very easy.
  • Use a cacert.pem file with root certificates and verify against those.
    Use this for certificate pinning. Put the certificates of your servers in a pem file and only allow those. Or get a general cacert.pem file with common root certificates.
  • Use system provided SSL functionality, see CURLNMBS class.
    Only for Mac and Windows in our Xojo plugins.
  • New: Load system certificates and verify against them.
    For Mac and Windows with next plugin version.
Please try them soon in FileMaker and Xojo and let me know if they work fine for you.
I even thought about using the system certificates by default if you don’t provide certificates, but ask to verify.

The conference was great and thanks to everyone helping. See you again some day!
19 03 17 - 14:15
No comments

  
Remember personal info?

Emoticons / Textile


Notify:
Hide email:

Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.