Michael Drake
Michael Drake
In terms of performance improvement, to load the [BBC News](https://www.bbc.co.uk/news) site in NetSurf: | LibCurl Version | Total instruction fetch cost | | -- | -- | | Master |...
@bagder This is a draft merge request for now because it currently doesn't try to stat the file to see if it has changed, or optimise cases where the certificate...
The fuzzer test fails with: ``` /usr/bin/ld: openssl.c:(.text.set_up_x509_store[set_up_x509_store]+0x996): undefined reference to `SSL_CTX_set1_cert_store' /usr/bin/ld: openssl.c:(.text.set_up_x509_store[set_up_x509_store]+0x12e4): undefined reference to `X509_STORE_up_ref' ``` It looks like both of those were added in OpenSSL 1.1.0....
> Which version is the fuzzer build built against? From the log: ``` libssl-dev is already the newest version (1.1.1f-1ubuntu2.16). ``` That's weird, the [documentation states](https://www.openssl.org/docs/man3.0/man3/X509_STORE_up_ref.html): > The X509_STORE_up_ref(), X509_STORE_lock()...
> You should assume that people will use OpenSSL from even before 1.0.0, so yes the code needs to have the proper #ifdef conditions to only use the APIs that...
> This is the biggest question IMHO. Until now, changes to the certificates will take effect on the next connection, but now they never will be. And, it's probably not...
> Applications also have the option to use `CURLOPT_CACERT_BLOB`, which is an existing rather effective way to "cache it themselves"... Oh, my understanding was that the `CURLOPT_CACERT_BLOB` was just the...
For what it's worth, I've [experimented with CURLOPT_CAINFO_BLOB](https://github.com/netsurf-browser/netsurf/commit/7e25bc6de157f95e53d1b67df59998a4696fe706) to confirm that, and found it makes no meaningful difference to performance on stock libcurl, compared to using `CURLOPT_CAINFO`. So it really...
I found that libressl claims openssl version 1.1.1, but does not have `SSL_CTX_set1_cert_store`. So I [changed it](https://github.com/curl/curl/compare/83ee40550f702b5c45bb90bfb5f322936d32a153..29752a4c5cd5840bd94ca411124ae6cc317bdd8d) to calling `X509_STORE_up_ref`, followed by `SSL_CTX_set_cert_store`, which is available in version 1.1.0 even...
> Another option may be to let the client build the X509_STORE itself, and let it pass that in as an alternative to CURLOPT_CAINFO and friends. Although it would need...