-k parameter for unsupported TLS algorithms does not work about curl HOT 7 OPEN

mmh. Is there a cheap version of bouncycastle that I can embed here ?
I don't want the lib to become a monster.

from curl.

(speaking of kilobytes)

from curl.

The standard lib will be several MB (5 or 6). Not sure if there are smaller libraries with the same support like BC. The TLS library alone is just 500k, but it needs the full crypto library of BC.

A hint to users of the library could be to use minimizers like proguard to strip down and remove unneeded dependencies. But Java crypto libraries have to signed. This will prevent this approach because the signature input data will be destroyed. It is also uncommon under Java EE / server implementations.

But for me these 6 MB sound ok. I cannot think of an alternative approach as long as the OpenJDK crypto library is not supporting elliptic curve in a wider sense. Also curl is using a SSL library (OpenSSL) which is 2 MB.

A middle way could be to make the BC and BCTLS Maven dependency optional. See here.
Any user interested in the advanced features would add BC manually. You can add this to the README.md. During the runtime you could check if the BC Provider class org.bouncycastle.jce.provider.BouncyCastleProvider is available. If yes use it, if not use your existing code. As long as no BC method is touched this should work.

from curl.

Mmh why not. Optional dependencies, neat idea

from curl.

found a very naive workaround to make your junit test work. The trust self signed strategy is asserting the numbers of certs in the chain to be 1.
Let's just always return true in case of curl -k.

Will be fixed that way in 0.0.33

from curl.

Does the proposed solution really passed the unit test? One problem I would have expected is that because the elliptic curve algorithm is not understood no session key can be agreed upon and the connection fails.

Another approach to let the user of Java curl manage this would be the add an option which specifies the TLS crypto provider. That way the user can set this crypto provider in his program code / or with a system configuration and curl would pick the correct one.

Another related problem could be the support of client TLS authentication. If the client key store is not supported because of an unsupported key store type and algorithm of the private key / certificate the connection will fail. Here also a crypto provider option for reading the key store and another option to specify the key store type would be handy.

from curl.

The naive fix works with the unit test, however this is not the long term fix.

We can still agree to handle the authentication using bouncy castle.

from curl.