From 90110a9be0d55a870c665aa913b97fb620657262 Mon Sep 17 00:00:00 2001 From: Steve Holme Date: Mon, 18 Mar 2013 21:43:34 +0000 Subject: TODO: Reordered the protocol and security sections Moved SMTP, POP3, IMAP and New Protocol sections to be listed after the other protocols (FTP, HTTP and TELNET) and SASL to be after SSL and GnuTLS as these are all security related. Additionally fixed numbering of the SSL and GnuTLS sections as they weren't consecutive. --- docs/TODO | 236 +++++++++++++++++++++++++++++++------------------------------- 1 file changed, 117 insertions(+), 119 deletions(-) (limited to 'docs/TODO') diff --git a/docs/TODO b/docs/TODO index 1ddeb8736..dc4571627 100644 --- a/docs/TODO +++ b/docs/TODO @@ -45,41 +45,41 @@ 6.3 feature negotiation debug data 6.4 send data in chunks - 7. SSL - 7.1 Disable specific versions - 7.2 Provide mutex locking API - 7.3 Evaluate SSL patches - 7.4 Cache OpenSSL contexts - 7.5 Export session ids - 7.6 Provide callback for cert verification - 7.7 Support other SSL libraries - 7.9 improve configure --with-ssl - 7.10 Support DANE - - 8. GnuTLS - 8.1 SSL engine stuff - 8.3 check connection - - 9. SMTP - 9.1 Specify the preferred authentication mechanism - 9.2 Initial response - 9.3 Pipelining - 9.4 Graceful base64 decoding failure + 7. SMTP + 7.1 Specify the preferred authentication mechanism + 7.2 Initial response + 7.3 Pipelining + 7.4 Graceful base64 decoding failure - 10. POP3 - 10.1 auth= in URLs - 10.2 Initial response - 10.3 Graceful base64 decoding failure + 8. POP3 + 8.1 auth= in URLs + 8.2 Initial response + 8.3 Graceful base64 decoding failure - 11. IMAP - 11.1 auth= in URLs - 11.2 Graceful base64 decoding failure + 9. IMAP + 9.1 auth= in URLs + 9.2 Graceful base64 decoding failure - 12. LDAP - 12.1 SASL based authentication mechanisms + 10. LDAP + 10.1 SASL based authentication mechanisms - 13. New protocols - 13.1 RSYNC + 11. New protocols + 11.1 RSYNC + + 12. SSL + 12.1 Disable specific versions + 12.2 Provide mutex locking API + 12.3 Evaluate SSL patches + 12.4 Cache OpenSSL contexts + 12.5 Export session ids + 12.6 Provide callback for cert verification + 12.7 Support other SSL libraries + 12.8 improve configure --with-ssl + 12.9 Support DANE + + 13. GnuTLS + 13.1 SSL engine stuff + 13.2 check connection 14. SASL 14.1 Other authentication mechanisms @@ -178,7 +178,6 @@ http://tools.ietf.org/html/rfc6555 - 2. libcurl - multi interface 2.1 More non-blocking @@ -270,7 +269,6 @@ headers use a default value so only headers that need to be moved have to be specified. - 6. TELNET 6.1 ditch stdin @@ -295,84 +293,15 @@ to provide the data to send. use, but inefficient for any other. Sent data should be sent in larger chunks. -7. SSL - -7.1 Disable specific versions - - Provide an option that allows for disabling specific SSL versions, such as - SSLv2 http://curl.haxx.se/bug/feature.cgi?id=1767276 - -7.2 Provide mutex locking API - - Provide a libcurl API for setting mutex callbacks in the underlying SSL - library, so that the same application code can use mutex-locking - independently of OpenSSL or GnutTLS being used. - -7.3 Evaluate SSL patches - - Evaluate/apply Gertjan van Wingerde's SSL patches: - http://curl.haxx.se/mail/lib-2004-03/0087.html - -7.4 Cache OpenSSL contexts - - "Look at SSL cafile - quick traces look to me like these are done on every - request as well, when they should only be necessary once per ssl context (or - once per handle)". The major improvement we can rather easily do is to make - sure we don't create and kill a new SSL "context" for every request, but - instead make one for every connection and re-use that SSL context in the same - style connections are re-used. It will make us use slightly more memory but - it will libcurl do less creations and deletions of SSL contexts. - -7.5 Export session ids - - Add an interface to libcurl that enables "session IDs" to get - exported/imported. Cris Bailiff said: "OpenSSL has functions which can - serialise the current SSL state to a buffer of your choice, and recover/reset - the state from such a buffer at a later date - this is used by mod_ssl for - apache to implement and SSL session ID cache". - -7.6 Provide callback for cert verification - - OpenSSL supports a callback for customised verification of the peer - certificate, but this doesn't seem to be exposed in the libcurl APIs. Could - it be? There's so much that could be done if it were! - -7.7 Support other SSL libraries - - Make curl's SSL layer capable of using other free SSL libraries. Such as - MatrixSSL (http://www.matrixssl.org/). - -7.9 improve configure --with-ssl - - make the configure --with-ssl option first check for OpenSSL, then GnuTLS, - then NSS... - -7.10 Support DANE - - DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL - keys and certs over DNS using DNSSEC as an alternative to the CA model. - http://www.rfc-editor.org/rfc/rfc6698.txt - -8. GnuTLS - -8.1 SSL engine stuff - - Is this even possible? - -8.3 check connection - - Add a way to check if the connection seems to be alive, to correspond to the - SSL_peak() way we use with OpenSSL. - -9. SMTP +7. SMTP -9.1 Specify the preferred authentication mechanism +7.1 Specify the preferred authentication mechanism Add the ability to specify the preferred authentication mechanism or a list of mechanisms that should be used. Not only that, but the order that is returned by the server during the EHLO response should be honored by curl. -9.2 Initial response +7.2 Initial response Add the ability for the user to specify whether the initial response is included in the AUTH command. Some email servers, such as Microsoft @@ -381,53 +310,53 @@ to provide the data to send. http://curl.haxx.se/mail/lib-2012-03/0114.html -9.3 Pipelining +7.3 Pipelining Add support for pipelining emails. -9.4 Graceful base64 decoding failure +7.4 Graceful base64 decoding failure Rather than shutting down the session and returning an error when the decoding of a base64 encoded authentication response fails, we should gracefully shutdown the authentication process by sending a * response to the server as per RFC4954. -10. POP3 +8. POP3 -10.1 auth= in URLs +8.1 auth= in URLs Being able to specify the preferred authentication mechanism in the URL as per RFC2384. -10.2 Initial response +8.2 Initial response Add the ability for the user to specify whether the initial response is included in the AUTH command as per RFC5034. -10.3 Graceful base64 decoding failure +8.3 Graceful base64 decoding failure Rather than shutting down the session and returning an error when the decoding of a base64 encoded authentication response fails, we should gracefully shutdown the authentication process by sending a * response to the server as per RFC5034. -11. IMAP +9. IMAP -11.1 auth= in URLs +9.1 auth= in URLs Being able to specify the preferred authentication mechanism in the URL as per RFC5092. -11.2 Graceful base64 decoding failure +9.2 Graceful base64 decoding failure Rather than shutting down the session and returning an error when the decoding of a base64 encoded authentication response fails, we should gracefully shutdown the authentication process by sending a * response to the server as per RFC3501. -12. LDAP +10. LDAP -12.1 SASL based authentication mechanisms +10.1 SASL based authentication mechanisms Currently the LDAP module only supports ldap_simple_bind_s() in order to bind to an LDAP server. However, this function sends username and password details @@ -435,18 +364,87 @@ to provide the data to send. be possible to use ldap_bind_s() instead specifing the security context information ourselves. -13. New protocols +11. New protocols -13.1 RSYNC +11.1 RSYNC There's no RFC for the protocol or an URI/URL format. An implementation should most probably use an existing rsync library, such as librsync. +12. SSL + +12.1 Disable specific versions + + Provide an option that allows for disabling specific SSL versions, such as + SSLv2 http://curl.haxx.se/bug/feature.cgi?id=1767276 + +12.2 Provide mutex locking API + + Provide a libcurl API for setting mutex callbacks in the underlying SSL + library, so that the same application code can use mutex-locking + independently of OpenSSL or GnutTLS being used. + +12.3 Evaluate SSL patches + + Evaluate/apply Gertjan van Wingerde's SSL patches: + http://curl.haxx.se/mail/lib-2004-03/0087.html + +12.4 Cache OpenSSL contexts + + "Look at SSL cafile - quick traces look to me like these are done on every + request as well, when they should only be necessary once per ssl context (or + once per handle)". The major improvement we can rather easily do is to make + sure we don't create and kill a new SSL "context" for every request, but + instead make one for every connection and re-use that SSL context in the same + style connections are re-used. It will make us use slightly more memory but + it will libcurl do less creations and deletions of SSL contexts. + +12.5 Export session ids + + Add an interface to libcurl that enables "session IDs" to get + exported/imported. Cris Bailiff said: "OpenSSL has functions which can + serialise the current SSL state to a buffer of your choice, and recover/reset + the state from such a buffer at a later date - this is used by mod_ssl for + apache to implement and SSL session ID cache". + +12.6 Provide callback for cert verification + + OpenSSL supports a callback for customised verification of the peer + certificate, but this doesn't seem to be exposed in the libcurl APIs. Could + it be? There's so much that could be done if it were! + +12.7 Support other SSL libraries + + Make curl's SSL layer capable of using other free SSL libraries. Such as + MatrixSSL (http://www.matrixssl.org/). + +12.8 improve configure --with-ssl + + make the configure --with-ssl option first check for OpenSSL, then GnuTLS, + then NSS... + +12.9 Support DANE + + DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL + keys and certs over DNS using DNSSEC as an alternative to the CA model. + http://www.rfc-editor.org/rfc/rfc6698.txt + +13. GnuTLS + +13.1 SSL engine stuff + + Is this even possible? + +13.2 check connection + + Add a way to check if the connection seems to be alive, to correspond to the + SSL_peak() way we use with OpenSSL. + 14. SASL 14.1 Other authentication mechanisms - Add support for gssapi to SMTP, POP3 and IMAP. + Add support for GSSAPI to SMTP, POP3 and IMAP. 15. Client -- cgit v1.2.3