Starting support for curl 8.5.0

[cpu]

My local build of curl 8.5.0 (the version I believe is shipped on Ubuntu 24.04) requires two additional libssl symbols:

• SSL_get_peer_signature_type_nid - This is implemented in this branch.
• SSL_CTX_set_cert_store - we had already implemented SSL_CTX_get_cert_store, making this fairly straight-forward to impl.

With the above, curl 8.5.0 now runs without missing symbol errors, but I'm seeing UnknownIssuer errors that make me suspect there's still work to do. I believe these will be fixed by resolving #17

Error output so far:

$> LD_LIBRARY_PATH=./target/release/ ldd $(which curl) | grep libssl
	libssl.so.3 => ./target/release/libssl.so.3 (0x00007ffff7a00000)
	
$> LD_LIBRARY_PATH=./target/release/ curl --version
curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 OpenSSL/3.0.13 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.4 libssh2/1.11.0 nghttp2/1.57.0
Release-Date: 2023-12-06
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd

$> LD_LIBRARY_PATH=./target/release/ curl https://example.com
[2024-05-02T19:03:58Z ERROR ssl::error] raising Error { lib: Ssl, reason: Unsupported, string: Some("_SSL_CTX_set_post_handshake_auth") }
[2024-05-02T19:03:58Z ERROR ssl::error] raising Error { lib: User, reason: OperationFailed, string: Some("invalid peer certificate: UnknownIssuer") }
[2024-05-02T19:03:58Z ERROR ssl::error] raising Error { lib: User, reason: OperationFailed, string: Some("invalid peer certificate: UnknownIssuer") }
[2024-05-02T19:03:58Z ERROR ssl::error] raising Error { lib: User, reason: OperationFailed, string: Some("invalid peer certificate: UnknownIssuer") }
[2024-05-02T19:03:58Z ERROR ssl::error] raising Error { lib: User, reason: OperationFailed, string: Some("invalid peer certificate: UnknownIssuer") }
[2024-05-02T19:03:58Z ERROR ssl::error] raising Error { lib: User, reason: OperationFailed, string: Some("invalid peer certificate: UnknownIssuer") }
[2024-05-02T19:03:58Z ERROR ssl::error] raising Error { lib: User, reason: OperationFailed, string: Some("invalid peer certificate: UnknownIssuer") }
curl: (35) OpenSSL/3.0.13: error:400C0107:lib(128)::operation fail

[cpu]

With the above, curl 8.5.0 now runs without missing symbol errors, but I'm seeing UnknownIssuer errors that make me suspect there's still work to do (so i've opened this as a draft for now):

I suspect this is related to #17

[ctz]

• SSL_get_peer_signature_type_nid - I've stubbed this out for now. I'm a little fuzzy on the upstream mapping here. The NIDs are unique to OpenSSL (defined in obj_mac.h). I think the main catch is figuring out how to map from a rustls connection's SupportedCipherSuite to the public key type in use for an associated signature algorithm.

i think for this we'd want the verifiers (client and server) to remember which SignatureScheme they checked (in verify_tls12_signature and co). Then this call should be a straight mapping to the NIDs.

[cpu]

i think for this we'd want the verifiers (client and server) to remember which SignatureScheme they checked (in verify_tls12_signature and co). Then this call should be a straight mapping to the NIDs.

I took a crack at this (in a separate branch for now since it's a little messy): a79305d

I'm not 100% confident I have the public_key_alg_id -> NID mapping correct, and I had to drag down some private helpers from Rustls 😓 WDYT? On the right track?

[cpu]

Reworked based on the feedback from my WIP attempt. This branch now implements SSL_get_peer_signature_type_nid instead of stubbing it. Using the SignatureScheme from the DigitallySignedStruct worked much better than the approach I used initially.

[ctz]

👍🏽