This weekend I participated in the CURL conference in Nuremberg.
It’s great to finally meet the people behind CURL and learn bow all came together and what direction they want to go. We had over a dozen interesting presentations and I learnt a lot about HTTP/2, SSL security and how people use CURL in various ways.
One of the things I learnt from a nice fellow is how to load the system certificates on Windows. I even found similar code for macOS, so next plugins can use system certificates.
So we have now 4 ways to handle SSL security:
- Ignore it and accept all certificates.
OptionVerifyPeer = 0 and OptionVerifyHost = 0
No verification is done and middle man attack is very easy.
- Use a cacert.pem file with root certificates and verify against those.
Use this for certificate pinning. Put the certificates of your servers in a pem file and only allow those. Or get a general cacert.pem file with common root certificates.
- Use system provided SSL functionality, see CURLNMBS class.
Only for Mac and Windows in our Xojo plugins.
- New: Load system certificates and verify against them.
For Mac and Windows with next plugin version.
I even thought about using the system certificates by default if you don’t provide certificates, but ask to verify.
The conference was great and thanks to everyone helping. See you again some day!