diff options
-rw-r--r-- | docs/TODO | 236 |
1 files changed, 117 insertions, 119 deletions
@@ -45,41 +45,41 @@ 6.3 feature negotiation debug data 6.4 send data in chunks - 7. SSL - 7.1 Disable specific versions - 7.2 Provide mutex locking API - 7.3 Evaluate SSL patches - 7.4 Cache OpenSSL contexts - 7.5 Export session ids - 7.6 Provide callback for cert verification - 7.7 Support other SSL libraries - 7.9 improve configure --with-ssl - 7.10 Support DANE - - 8. GnuTLS - 8.1 SSL engine stuff - 8.3 check connection - - 9. SMTP - 9.1 Specify the preferred authentication mechanism - 9.2 Initial response - 9.3 Pipelining - 9.4 Graceful base64 decoding failure + 7. SMTP + 7.1 Specify the preferred authentication mechanism + 7.2 Initial response + 7.3 Pipelining + 7.4 Graceful base64 decoding failure - 10. POP3 - 10.1 auth= in URLs - 10.2 Initial response - 10.3 Graceful base64 decoding failure + 8. POP3 + 8.1 auth= in URLs + 8.2 Initial response + 8.3 Graceful base64 decoding failure - 11. IMAP - 11.1 auth= in URLs - 11.2 Graceful base64 decoding failure + 9. IMAP + 9.1 auth= in URLs + 9.2 Graceful base64 decoding failure - 12. LDAP - 12.1 SASL based authentication mechanisms + 10. LDAP + 10.1 SASL based authentication mechanisms - 13. New protocols - 13.1 RSYNC + 11. New protocols + 11.1 RSYNC + + 12. SSL + 12.1 Disable specific versions + 12.2 Provide mutex locking API + 12.3 Evaluate SSL patches + 12.4 Cache OpenSSL contexts + 12.5 Export session ids + 12.6 Provide callback for cert verification + 12.7 Support other SSL libraries + 12.8 improve configure --with-ssl + 12.9 Support DANE + + 13. GnuTLS + 13.1 SSL engine stuff + 13.2 check connection 14. SASL 14.1 Other authentication mechanisms @@ -178,7 +178,6 @@ http://tools.ietf.org/html/rfc6555 - 2. libcurl - multi interface 2.1 More non-blocking @@ -270,7 +269,6 @@ headers use a default value so only headers that need to be moved have to be specified. - 6. TELNET 6.1 ditch stdin @@ -295,84 +293,15 @@ to provide the data to send. use, but inefficient for any other. Sent data should be sent in larger chunks. -7. SSL - -7.1 Disable specific versions - - Provide an option that allows for disabling specific SSL versions, such as - SSLv2 http://curl.haxx.se/bug/feature.cgi?id=1767276 - -7.2 Provide mutex locking API - - Provide a libcurl API for setting mutex callbacks in the underlying SSL - library, so that the same application code can use mutex-locking - independently of OpenSSL or GnutTLS being used. - -7.3 Evaluate SSL patches - - Evaluate/apply Gertjan van Wingerde's SSL patches: - http://curl.haxx.se/mail/lib-2004-03/0087.html - -7.4 Cache OpenSSL contexts - - "Look at SSL cafile - quick traces look to me like these are done on every - request as well, when they should only be necessary once per ssl context (or - once per handle)". The major improvement we can rather easily do is to make - sure we don't create and kill a new SSL "context" for every request, but - instead make one for every connection and re-use that SSL context in the same - style connections are re-used. It will make us use slightly more memory but - it will libcurl do less creations and deletions of SSL contexts. - -7.5 Export session ids - - Add an interface to libcurl that enables "session IDs" to get - exported/imported. Cris Bailiff said: "OpenSSL has functions which can - serialise the current SSL state to a buffer of your choice, and recover/reset - the state from such a buffer at a later date - this is used by mod_ssl for - apache to implement and SSL session ID cache". - -7.6 Provide callback for cert verification - - OpenSSL supports a callback for customised verification of the peer - certificate, but this doesn't seem to be exposed in the libcurl APIs. Could - it be? There's so much that could be done if it were! - -7.7 Support other SSL libraries - - Make curl's SSL layer capable of using other free SSL libraries. Such as - MatrixSSL (http://www.matrixssl.org/). - -7.9 improve configure --with-ssl - - make the configure --with-ssl option first check for OpenSSL, then GnuTLS, - then NSS... - -7.10 Support DANE - - DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL - keys and certs over DNS using DNSSEC as an alternative to the CA model. - http://www.rfc-editor.org/rfc/rfc6698.txt - -8. GnuTLS - -8.1 SSL engine stuff - - Is this even possible? - -8.3 check connection - - Add a way to check if the connection seems to be alive, to correspond to the - SSL_peak() way we use with OpenSSL. - -9. SMTP +7. SMTP -9.1 Specify the preferred authentication mechanism +7.1 Specify the preferred authentication mechanism Add the ability to specify the preferred authentication mechanism or a list of mechanisms that should be used. Not only that, but the order that is returned by the server during the EHLO response should be honored by curl. -9.2 Initial response +7.2 Initial response Add the ability for the user to specify whether the initial response is included in the AUTH command. Some email servers, such as Microsoft @@ -381,53 +310,53 @@ to provide the data to send. http://curl.haxx.se/mail/lib-2012-03/0114.html -9.3 Pipelining +7.3 Pipelining Add support for pipelining emails. -9.4 Graceful base64 decoding failure +7.4 Graceful base64 decoding failure Rather than shutting down the session and returning an error when the decoding of a base64 encoded authentication response fails, we should gracefully shutdown the authentication process by sending a * response to the server as per RFC4954. -10. POP3 +8. POP3 -10.1 auth= in URLs +8.1 auth= in URLs Being able to specify the preferred authentication mechanism in the URL as per RFC2384. -10.2 Initial response +8.2 Initial response Add the ability for the user to specify whether the initial response is included in the AUTH command as per RFC5034. -10.3 Graceful base64 decoding failure +8.3 Graceful base64 decoding failure Rather than shutting down the session and returning an error when the decoding of a base64 encoded authentication response fails, we should gracefully shutdown the authentication process by sending a * response to the server as per RFC5034. -11. IMAP +9. IMAP -11.1 auth= in URLs +9.1 auth= in URLs Being able to specify the preferred authentication mechanism in the URL as per RFC5092. -11.2 Graceful base64 decoding failure +9.2 Graceful base64 decoding failure Rather than shutting down the session and returning an error when the decoding of a base64 encoded authentication response fails, we should gracefully shutdown the authentication process by sending a * response to the server as per RFC3501. -12. LDAP +10. LDAP -12.1 SASL based authentication mechanisms +10.1 SASL based authentication mechanisms Currently the LDAP module only supports ldap_simple_bind_s() in order to bind to an LDAP server. However, this function sends username and password details @@ -435,18 +364,87 @@ to provide the data to send. be possible to use ldap_bind_s() instead specifing the security context information ourselves. -13. New protocols +11. New protocols -13.1 RSYNC +11.1 RSYNC There's no RFC for the protocol or an URI/URL format. An implementation should most probably use an existing rsync library, such as librsync. +12. SSL + +12.1 Disable specific versions + + Provide an option that allows for disabling specific SSL versions, such as + SSLv2 http://curl.haxx.se/bug/feature.cgi?id=1767276 + +12.2 Provide mutex locking API + + Provide a libcurl API for setting mutex callbacks in the underlying SSL + library, so that the same application code can use mutex-locking + independently of OpenSSL or GnutTLS being used. + +12.3 Evaluate SSL patches + + Evaluate/apply Gertjan van Wingerde's SSL patches: + http://curl.haxx.se/mail/lib-2004-03/0087.html + +12.4 Cache OpenSSL contexts + + "Look at SSL cafile - quick traces look to me like these are done on every + request as well, when they should only be necessary once per ssl context (or + once per handle)". The major improvement we can rather easily do is to make + sure we don't create and kill a new SSL "context" for every request, but + instead make one for every connection and re-use that SSL context in the same + style connections are re-used. It will make us use slightly more memory but + it will libcurl do less creations and deletions of SSL contexts. + +12.5 Export session ids + + Add an interface to libcurl that enables "session IDs" to get + exported/imported. Cris Bailiff said: "OpenSSL has functions which can + serialise the current SSL state to a buffer of your choice, and recover/reset + the state from such a buffer at a later date - this is used by mod_ssl for + apache to implement and SSL session ID cache". + +12.6 Provide callback for cert verification + + OpenSSL supports a callback for customised verification of the peer + certificate, but this doesn't seem to be exposed in the libcurl APIs. Could + it be? There's so much that could be done if it were! + +12.7 Support other SSL libraries + + Make curl's SSL layer capable of using other free SSL libraries. Such as + MatrixSSL (http://www.matrixssl.org/). + +12.8 improve configure --with-ssl + + make the configure --with-ssl option first check for OpenSSL, then GnuTLS, + then NSS... + +12.9 Support DANE + + DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL + keys and certs over DNS using DNSSEC as an alternative to the CA model. + http://www.rfc-editor.org/rfc/rfc6698.txt + +13. GnuTLS + +13.1 SSL engine stuff + + Is this even possible? + +13.2 check connection + + Add a way to check if the connection seems to be alive, to correspond to the + SSL_peak() way we use with OpenSSL. + 14. SASL 14.1 Other authentication mechanisms - Add support for gssapi to SMTP, POP3 and IMAP. + Add support for GSSAPI to SMTP, POP3 and IMAP. 15. Client |