aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.321
-rw-r--r--lib/vtls/mbedtls.c10
-rw-r--r--lib/vtls/mbedtls.h3
3 files changed, 25 insertions, 9 deletions
diff --git a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3 b/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
index b26012670..2f71495b7 100644
--- a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
@@ -22,7 +22,7 @@
.\"
.TH CURLOPT_SSL_CTX_FUNCTION 3 "19 Jun 2014" "libcurl 7.37.0" "curl_easy_setopt options"
.SH NAME
-CURLOPT_SSL_CTX_FUNCTION \- SSL context callback for OpenSSL or wolfSSL/CyaSSL
+CURLOPT_SSL_CTX_FUNCTION \- SSL context callback for OpenSSL, wolfSSL/CyaSSL or mbedTLS
.SH SYNOPSIS
.nf
#include <curl/curl.h>
@@ -32,8 +32,9 @@ CURLcode ssl_ctx_callback(CURL *curl, void *ssl_ctx, void *userptr);
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_CTX_FUNCTION,
ssl_ctx_callback);
.SH DESCRIPTION
-This option only works for libcurl powered by OpenSSL or wolfSSL/CyaSSL. If
-libcurl was built against another SSL library this functionality is absent.
+This option only works for libcurl powered by OpenSSL, wolfSSL/CyaSSL or
+mbedTLS. If libcurl was built against another SSL library this functionality is
+absent.
Pass a pointer to your callback function, which should match the prototype
shown above.
@@ -42,13 +43,15 @@ This callback function gets called by libcurl just before the initialization
of an SSL connection after having processed all other SSL related options to
give a last chance to an application to modify the behaviour of the SSL
initialization. The \fIssl_ctx\fP parameter is actually a pointer to the SSL
-library's \fISSL_CTX\fP. If an error is returned from the callback no attempt
-to establish a connection is made and the perform operation will return the
-callback's error code. Set the \fIuserptr\fP argument with the
+library's \fISSL_CTX\fP for OpenSSL or wolfSSL/CyaSSL, and a pointer to
+\fImbedtls_ssl_config\fP for mbedTLS. If an error is returned from the callback
+no attempt to establish a connection is made and the perform operation will
+return the callback's error code. Set the \fIuserptr\fP argument with the
\fICURLOPT_SSL_CTX_DATA(3)\fP option.
This function will get called on all new connections made to a server, during
-the SSL negotiation. The SSL_CTX pointer will be a new one every time.
+the SSL negotiation. The \fIssl_ctx\fP will point to a newly initialized object
+each time, but note the pointer may be the same as from a prior call.
To use this properly, a non-trivial amount of knowledge of your SSL library is
necessary. For example, you can use this function to call library-specific
@@ -133,8 +136,8 @@ int main(void)
}
.fi
.SH AVAILABILITY
-Added in 7.11.0 for OpenSSL. Added in 7.42.0 for wolfSSL/CyaSSL. Other SSL
-backends not supported.
+Added in 7.11.0 for OpenSSL. Added in 7.42.0 for wolfSSL/CyaSSL. Added in
+7.54.0 for mbedTLS. Other SSL backends not supported.
.SH RETURN VALUE
CURLE_OK if supported; or an error such as:
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index b13171363..7cd2d6d0f 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -495,6 +495,16 @@ mbed_connect_step1(struct connectdata *conn,
mbedtls_debug_set_threshold(4);
#endif
+ /* give application a chance to interfere with mbedTLS set up. */
+ if(data->set.ssl.fsslctx) {
+ ret = (*data->set.ssl.fsslctx)(data, &connssl->config,
+ data->set.ssl.fsslctxp);
+ if(ret) {
+ failf(data, "error signaled by ssl ctx callback");
+ return ret;
+ }
+ }
+
connssl->connecting_state = ssl_connect_2;
return CURLE_OK;
diff --git a/lib/vtls/mbedtls.h b/lib/vtls/mbedtls.h
index 5b0bcf6d7..71d17a491 100644
--- a/lib/vtls/mbedtls.h
+++ b/lib/vtls/mbedtls.h
@@ -56,6 +56,9 @@ CURLcode Curl_mbedtls_random(struct Curl_easy *data, unsigned char *entropy,
/* this backends supports CURLOPT_PINNEDPUBLICKEY */
#define have_curlssl_pinnedpubkey 1
+/* this backend supports CURLOPT_SSL_CTX_* */
+#define have_curlssl_ssl_ctx 1
+
/* API setup for mbedTLS */
#define curlssl_init() Curl_mbedtls_init()
#define curlssl_cleanup() Curl_mbedtls_cleanup()