curl and TLS #MeraKrypto
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


curl and TLS #MeraKrypto



curl and TLS

curl and TLS

Slides for my talk at MeraKrypto April 29 2014



Total Views
Views on SlideShare
Embed Views



17 Embeds 1,320 1018 155 83 25 15
http://localhost 8 3 2 2 2 1 1 1 1 1 1 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

curl and TLS #MeraKrypto Presentation Transcript

  • 1. #MeraKrypto TLS and curl Daniel Stenberg, April 29th 2014
  • 2. Agenda curl TLS http2 Future
  • 3. Daniel Stenberg Email: Twitter: @bagder Web: Blog: network hacker at
  • 4. Please ask! Feel free to interrupt and ask at any time!
  • 5. If I say SSL I mean TLS I tend to use the terms interchangeably
  • 6. curl • curl is a tool I made • born around 1998 • widely used for REST, downloads, scripted transfers and more • I expect everyone here to already know about it! • Added TLS support 1999 • Uses TLS for HTTPS, FTPS, POP3S, IMAPS, SMTPS, LDAPS and RTMPS • 100% free and open source - join us!
  • 7. libcurl 2014 •The engine of the curl tool •The world's most used, most portable and most feature complete URL transfer library •Empowers cars, set-top boxes, printers, routers, Bluray players, TV sets, phones, tablets, games, web sites and a bus load of other use case. •Used by hundreds of well known companies and brands •Some 500 million users •Written in C •More than 40 bindings - for every language you can think of
  • 8. TLS in libcurl •supports 10 different TLS back-ends •They differ in platform support, footprint, features, license and performance •Designed to be almost invisible to the user •Allows applications to add TLS secured transfers to their applications with no effort •libcurl itself often built upon by other layers
  • 9. The libcurl usage mistake #1 Reminder unauthenticated TLS is not secure
  • 10. The libcurl usage mistake #1 “Verify peer” and “verify host” •“but I just want encryption” •“but I can't afford a certificate” •“but it is annoying to my users” •“but it works just fine even if I disable it” •“but I don't need a client certificate”
  • 11. TLS obstacles Over time, the course gets harder The large set of obstacles are increasing and becoming harder to climb TLS-fronting applications need to care
  • 12. The TLS obstacle course SSLv2 SSLv3 < TLS1.2 BEAST CRIMERC4 MD5 Broken CAs Wildcard matching Verify cert Profit! ???
  • 13. CA cert bundle Needed to verify server cert Which Certificate Authorities do you trust? Did you edit your CA cert bundle today? The curl site offers a bundle converted from Mozilla sources Maintaining an own set is lots of work
  • 14. No end to TLS in sight •TCP improvements are discussed •TLS improvements are discussed •TCP replacements are discussed •CA and cert improvements are discussed •TLS replacements are not discussed •HTTP improvements are discussed...
  • 15. http2 •http2 is the new HTTP, arriving late 2014 •not yet set in stone •changes the over-the-wire data format •same old http:// and https:// URLs
  • 16. Will http2 fix HTTPS? •attempts were made to make TLS mandatory •fought by proxies, small-products and “surveillance friendly” parties •pushed by user-centric browser vendors •Firefox and Chrome will only do http2 over TLS •IE will do plain-text
  • 17. Opportunistic TLS •Alt-Svc: and ALTSVC •“You can also find this content over here =>” •Optional •Allows http:// over TLS! •Debated
  • 18. Future •Further TLS obstacles and problems •TLS 1.3 •DANE •tcpcrypt
  • 19. Thank you!
  • 20. Learn more! •curl and libcurl: •http2 explained: •Curl's TLS support compared:
  • 21. Doing good is part of our code