aboutsummaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorSteve Holme <steve_holme@hotmail.com>2013-03-18 21:43:34 +0000
committerSteve Holme <steve_holme@hotmail.com>2013-03-18 21:43:34 +0000
commit90110a9be0d55a870c665aa913b97fb620657262 (patch)
tree9da8c16985eeee626308cc9c963eaf4a5cc853b1 /docs
parentb0dfbf305a86bd8312090c6c1ff275a6f895a763 (diff)
TODO: Reordered the protocol and security sections
Moved SMTP, POP3, IMAP and New Protocol sections to be listed after the other protocols (FTP, HTTP and TELNET) and SASL to be after SSL and GnuTLS as these are all security related. Additionally fixed numbering of the SSL and GnuTLS sections as they weren't consecutive.
Diffstat (limited to 'docs')
-rw-r--r--docs/TODO236
1 files changed, 117 insertions, 119 deletions
diff --git a/docs/TODO b/docs/TODO
index 1ddeb8736..dc4571627 100644
--- a/docs/TODO
+++ b/docs/TODO
@@ -45,41 +45,41 @@
6.3 feature negotiation debug data
6.4 send data in chunks
- 7. SSL
- 7.1 Disable specific versions
- 7.2 Provide mutex locking API
- 7.3 Evaluate SSL patches
- 7.4 Cache OpenSSL contexts
- 7.5 Export session ids
- 7.6 Provide callback for cert verification
- 7.7 Support other SSL libraries
- 7.9 improve configure --with-ssl
- 7.10 Support DANE
-
- 8. GnuTLS
- 8.1 SSL engine stuff
- 8.3 check connection
-
- 9. SMTP
- 9.1 Specify the preferred authentication mechanism
- 9.2 Initial response
- 9.3 Pipelining
- 9.4 Graceful base64 decoding failure
+ 7. SMTP
+ 7.1 Specify the preferred authentication mechanism
+ 7.2 Initial response
+ 7.3 Pipelining
+ 7.4 Graceful base64 decoding failure
- 10. POP3
- 10.1 auth= in URLs
- 10.2 Initial response
- 10.3 Graceful base64 decoding failure
+ 8. POP3
+ 8.1 auth= in URLs
+ 8.2 Initial response
+ 8.3 Graceful base64 decoding failure
- 11. IMAP
- 11.1 auth= in URLs
- 11.2 Graceful base64 decoding failure
+ 9. IMAP
+ 9.1 auth= in URLs
+ 9.2 Graceful base64 decoding failure
- 12. LDAP
- 12.1 SASL based authentication mechanisms
+ 10. LDAP
+ 10.1 SASL based authentication mechanisms
- 13. New protocols
- 13.1 RSYNC
+ 11. New protocols
+ 11.1 RSYNC
+
+ 12. SSL
+ 12.1 Disable specific versions
+ 12.2 Provide mutex locking API
+ 12.3 Evaluate SSL patches
+ 12.4 Cache OpenSSL contexts
+ 12.5 Export session ids
+ 12.6 Provide callback for cert verification
+ 12.7 Support other SSL libraries
+ 12.8 improve configure --with-ssl
+ 12.9 Support DANE
+
+ 13. GnuTLS
+ 13.1 SSL engine stuff
+ 13.2 check connection
14. SASL
14.1 Other authentication mechanisms
@@ -178,7 +178,6 @@
http://tools.ietf.org/html/rfc6555
-
2. libcurl - multi interface
2.1 More non-blocking
@@ -270,7 +269,6 @@
headers use a default value so only headers that need to be moved have to be
specified.
-
6. TELNET
6.1 ditch stdin
@@ -295,84 +293,15 @@ to provide the data to send.
use, but inefficient for any other. Sent data should be sent in larger
chunks.
-7. SSL
-
-7.1 Disable specific versions
-
- Provide an option that allows for disabling specific SSL versions, such as
- SSLv2 http://curl.haxx.se/bug/feature.cgi?id=1767276
-
-7.2 Provide mutex locking API
-
- Provide a libcurl API for setting mutex callbacks in the underlying SSL
- library, so that the same application code can use mutex-locking
- independently of OpenSSL or GnutTLS being used.
-
-7.3 Evaluate SSL patches
-
- Evaluate/apply Gertjan van Wingerde's SSL patches:
- http://curl.haxx.se/mail/lib-2004-03/0087.html
-
-7.4 Cache OpenSSL contexts
-
- "Look at SSL cafile - quick traces look to me like these are done on every
- request as well, when they should only be necessary once per ssl context (or
- once per handle)". The major improvement we can rather easily do is to make
- sure we don't create and kill a new SSL "context" for every request, but
- instead make one for every connection and re-use that SSL context in the same
- style connections are re-used. It will make us use slightly more memory but
- it will libcurl do less creations and deletions of SSL contexts.
-
-7.5 Export session ids
-
- Add an interface to libcurl that enables "session IDs" to get
- exported/imported. Cris Bailiff said: "OpenSSL has functions which can
- serialise the current SSL state to a buffer of your choice, and recover/reset
- the state from such a buffer at a later date - this is used by mod_ssl for
- apache to implement and SSL session ID cache".
-
-7.6 Provide callback for cert verification
-
- OpenSSL supports a callback for customised verification of the peer
- certificate, but this doesn't seem to be exposed in the libcurl APIs. Could
- it be? There's so much that could be done if it were!
-
-7.7 Support other SSL libraries
-
- Make curl's SSL layer capable of using other free SSL libraries. Such as
- MatrixSSL (http://www.matrixssl.org/).
-
-7.9 improve configure --with-ssl
-
- make the configure --with-ssl option first check for OpenSSL, then GnuTLS,
- then NSS...
-
-7.10 Support DANE
-
- DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL
- keys and certs over DNS using DNSSEC as an alternative to the CA model.
- http://www.rfc-editor.org/rfc/rfc6698.txt
-
-8. GnuTLS
-
-8.1 SSL engine stuff
-
- Is this even possible?
-
-8.3 check connection
-
- Add a way to check if the connection seems to be alive, to correspond to the
- SSL_peak() way we use with OpenSSL.
-
-9. SMTP
+7. SMTP
-9.1 Specify the preferred authentication mechanism
+7.1 Specify the preferred authentication mechanism
Add the ability to specify the preferred authentication mechanism or a list
of mechanisms that should be used. Not only that, but the order that is
returned by the server during the EHLO response should be honored by curl.
-9.2 Initial response
+7.2 Initial response
Add the ability for the user to specify whether the initial response is
included in the AUTH command. Some email servers, such as Microsoft
@@ -381,53 +310,53 @@ to provide the data to send.
http://curl.haxx.se/mail/lib-2012-03/0114.html
-9.3 Pipelining
+7.3 Pipelining
Add support for pipelining emails.
-9.4 Graceful base64 decoding failure
+7.4 Graceful base64 decoding failure
Rather than shutting down the session and returning an error when the
decoding of a base64 encoded authentication response fails, we should
gracefully shutdown the authentication process by sending a * response to the
server as per RFC4954.
-10. POP3
+8. POP3
-10.1 auth= in URLs
+8.1 auth= in URLs
Being able to specify the preferred authentication mechanism in the URL as
per RFC2384.
-10.2 Initial response
+8.2 Initial response
Add the ability for the user to specify whether the initial response is
included in the AUTH command as per RFC5034.
-10.3 Graceful base64 decoding failure
+8.3 Graceful base64 decoding failure
Rather than shutting down the session and returning an error when the
decoding of a base64 encoded authentication response fails, we should
gracefully shutdown the authentication process by sending a * response to the
server as per RFC5034.
-11. IMAP
+9. IMAP
-11.1 auth= in URLs
+9.1 auth= in URLs
Being able to specify the preferred authentication mechanism in the URL as
per RFC5092.
-11.2 Graceful base64 decoding failure
+9.2 Graceful base64 decoding failure
Rather than shutting down the session and returning an error when the
decoding of a base64 encoded authentication response fails, we should
gracefully shutdown the authentication process by sending a * response to the
server as per RFC3501.
-12. LDAP
+10. LDAP
-12.1 SASL based authentication mechanisms
+10.1 SASL based authentication mechanisms
Currently the LDAP module only supports ldap_simple_bind_s() in order to bind
to an LDAP server. However, this function sends username and password details
@@ -435,18 +364,87 @@ to provide the data to send.
be possible to use ldap_bind_s() instead specifing the security context
information ourselves.
-13. New protocols
+11. New protocols
-13.1 RSYNC
+11.1 RSYNC
There's no RFC for the protocol or an URI/URL format. An implementation
should most probably use an existing rsync library, such as librsync.
+12. SSL
+
+12.1 Disable specific versions
+
+ Provide an option that allows for disabling specific SSL versions, such as
+ SSLv2 http://curl.haxx.se/bug/feature.cgi?id=1767276
+
+12.2 Provide mutex locking API
+
+ Provide a libcurl API for setting mutex callbacks in the underlying SSL
+ library, so that the same application code can use mutex-locking
+ independently of OpenSSL or GnutTLS being used.
+
+12.3 Evaluate SSL patches
+
+ Evaluate/apply Gertjan van Wingerde's SSL patches:
+ http://curl.haxx.se/mail/lib-2004-03/0087.html
+
+12.4 Cache OpenSSL contexts
+
+ "Look at SSL cafile - quick traces look to me like these are done on every
+ request as well, when they should only be necessary once per ssl context (or
+ once per handle)". The major improvement we can rather easily do is to make
+ sure we don't create and kill a new SSL "context" for every request, but
+ instead make one for every connection and re-use that SSL context in the same
+ style connections are re-used. It will make us use slightly more memory but
+ it will libcurl do less creations and deletions of SSL contexts.
+
+12.5 Export session ids
+
+ Add an interface to libcurl that enables "session IDs" to get
+ exported/imported. Cris Bailiff said: "OpenSSL has functions which can
+ serialise the current SSL state to a buffer of your choice, and recover/reset
+ the state from such a buffer at a later date - this is used by mod_ssl for
+ apache to implement and SSL session ID cache".
+
+12.6 Provide callback for cert verification
+
+ OpenSSL supports a callback for customised verification of the peer
+ certificate, but this doesn't seem to be exposed in the libcurl APIs. Could
+ it be? There's so much that could be done if it were!
+
+12.7 Support other SSL libraries
+
+ Make curl's SSL layer capable of using other free SSL libraries. Such as
+ MatrixSSL (http://www.matrixssl.org/).
+
+12.8 improve configure --with-ssl
+
+ make the configure --with-ssl option first check for OpenSSL, then GnuTLS,
+ then NSS...
+
+12.9 Support DANE
+
+ DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL
+ keys and certs over DNS using DNSSEC as an alternative to the CA model.
+ http://www.rfc-editor.org/rfc/rfc6698.txt
+
+13. GnuTLS
+
+13.1 SSL engine stuff
+
+ Is this even possible?
+
+13.2 check connection
+
+ Add a way to check if the connection seems to be alive, to correspond to the
+ SSL_peak() way we use with OpenSSL.
+
14. SASL
14.1 Other authentication mechanisms
- Add support for gssapi to SMTP, POP3 and IMAP.
+ Add support for GSSAPI to SMTP, POP3 and IMAP.
15. Client