List of https (TLS) features

Feb 11, 2015 at 7:41 AM
Hi all,
I am kind of new with casablanca and am working on a cross platform c++ app for Windows 8 (store app), Android & iOS.

My app requires TLS connection and i am having troubles understanding what is supported today by casablanca.

What i'm looking for is a way to do the following in HTTPS:
  1. Setting the TLS version (1.2/1.1).
  2. Verify server certificate (in addition to what is done automatically)- SSL pinning
  3. Client certificate authentication (mutual auth)
  4. Use OpenSSL for the TLS if available
Do all these features available on the 3 platforms mentioned above?

Many thanks,
Dan.
Coordinator
Feb 13, 2015 at 5:54 PM
Edited Feb 13, 2015 at 5:55 PM
Hi Dan,

1 - We don't have any high level API for setting/configuring the TLS version to be used. One some of the platforms it is possible to set the TLS version used through our native handle API. Our http_client is powered by the following depending on the platform:
Windows Desktop - WinHttp
Windows Store/Phone - IXmlHttpRequest2
non-Windows - Boost.Asio/OpenSSL
With WinHttp you can use the http_client_config::set_nativehandle_options to access to the HINTERNET handle. From there you can use WinHttpSetOption with WINHTTP_OPTION_SECURE_PROTOCOLS to set the TLS version.

With IXmlHttpRequest I couldn't find a way to control the underlying TLS version so I don't think it is possible.

Recently in the development branch we implemented the set_nativehandle_options for non-Windows platforms. It now exposes one of the following types depending on if HTTPS is in use or not:
 https - boost::asio::ssl::stream<boost::asio::ip::tcp::socket &> *
 http - boost::asio::ip::tcp::socket *
Using the Boost ssl::stream native_handle API you can get access to the underlying OpenSSL SSL_CTX structure. From which you can set various options using SSL_CTX_set_options.

2 - Like with #1 we don't have any high level API for this, you can open a feature request if you'd like. In general it is possible to accomplish it yourself utilizing similar techniques mentioned for #1. Basically take a look at what the server certificate provided is and decide if it is what you expected.

3 - Client certificates can be set using the native handle API. For Windows store/phone I don't believe the current version of IXmlHttpRequest2 support client certificates, but it looks like IXmlHttpRequest3 does, so it could be updated.

4 - OpenSSL is only used with our http_client on non-Windows platforms. That said the code is cross platform so with some finagling you could try to reuse the Boost.Asio based implementation on Windows, however I'm sure it won't pass the banned APIs scan for the Windows store cert kit check.

Steve
Marked as answer by roschuma on 10/13/2015 at 9:53 AM
Feb 17, 2015 at 1:08 PM
Thanks Steve for the descriptive clarifications.
This exactly what i was looking for during the HTTPS/TLS features evaluation of Casablanca.

As a recommendation, it might be useful to add the https capability tot he table of features as the http client usually refers to http only :)

Thanks again,
Dan.