From 90110a9be0d55a870c665aa913b97fb620657262 Mon Sep 17 00:00:00 2001
From: Steve Holme <steve_holme@hotmail.com>
Date: Mon, 18 Mar 2013 21:43:34 +0000
Subject: [PATCH] TODO: Reordered the protocol and security sections

Moved SMTP, POP3, IMAP and New Protocol sections to be listed after the
other protocols (FTP, HTTP and TELNET) and SASL to be after SSL and
GnuTLS as these are all security related.

Additionally fixed numbering of the SSL and GnuTLS sections as they
weren't consecutive.
---
 docs/TODO | 236 +++++++++++++++++++++++++++++++-------------------------------
 1 file changed, 117 insertions(+), 119 deletions(-)

diff --git a/docs/TODO b/docs/TODO
index 1ddeb87..dc45716 100644
--- a/docs/TODO
+++ b/docs/TODO
@@ -45,41 +45,41 @@
  6.3 feature negotiation debug data
  6.4 send data in chunks
 
- 7. SSL
- 7.1 Disable specific versions
- 7.2 Provide mutex locking API
- 7.3 Evaluate SSL patches
- 7.4 Cache OpenSSL contexts
- 7.5 Export session ids
- 7.6 Provide callback for cert verification
- 7.7 Support other SSL libraries
- 7.9 improve configure --with-ssl
- 7.10 Support DANE
-
- 8. GnuTLS
- 8.1 SSL engine stuff
- 8.3 check connection
-
- 9. SMTP
- 9.1 Specify the preferred authentication mechanism
- 9.2 Initial response
- 9.3 Pipelining
- 9.4 Graceful base64 decoding failure
+ 7. SMTP
+ 7.1 Specify the preferred authentication mechanism
+ 7.2 Initial response
+ 7.3 Pipelining
+ 7.4 Graceful base64 decoding failure
  
- 10. POP3
- 10.1 auth= in URLs
- 10.2 Initial response
- 10.3 Graceful base64 decoding failure
+ 8. POP3
+ 8.1 auth= in URLs
+ 8.2 Initial response
+ 8.3 Graceful base64 decoding failure
  
- 11. IMAP
- 11.1 auth= in URLs
- 11.2 Graceful base64 decoding failure
+ 9. IMAP
+ 9.1 auth= in URLs
+ 9.2 Graceful base64 decoding failure
  
- 12. LDAP
- 12.1 SASL based authentication mechanisms
+ 10. LDAP
+ 10.1 SASL based authentication mechanisms
  
- 13. New protocols
- 13.1 RSYNC
+ 11. New protocols
+ 11.1 RSYNC
+
+ 12. SSL
+ 12.1 Disable specific versions
+ 12.2 Provide mutex locking API
+ 12.3 Evaluate SSL patches
+ 12.4 Cache OpenSSL contexts
+ 12.5 Export session ids
+ 12.6 Provide callback for cert verification
+ 12.7 Support other SSL libraries
+ 12.8 improve configure --with-ssl
+ 12.9 Support DANE
+
+ 13. GnuTLS
+ 13.1 SSL engine stuff
+ 13.2 check connection
 
  14. SASL
  14.1 Other authentication mechanisms
@@ -178,7 +178,6 @@
 
     http://tools.ietf.org/html/rfc6555
 
-
 2. libcurl - multi interface
 
 2.1 More non-blocking
@@ -270,7 +269,6 @@
  headers use a default value so only headers that need to be moved have to be
  specified.
 
-
 6. TELNET
 
 6.1 ditch stdin
@@ -295,84 +293,15 @@ to provide the data to send.
   use, but inefficient for any other.  Sent data should be sent in larger
   chunks.
 
-7. SSL
-
-7.1 Disable specific versions
-
- Provide an option that allows for disabling specific SSL versions, such as
- SSLv2 http://curl.haxx.se/bug/feature.cgi?id=1767276
-
-7.2 Provide mutex locking API
-
- Provide a libcurl API for setting mutex callbacks in the underlying SSL
- library, so that the same application code can use mutex-locking
- independently of OpenSSL or GnutTLS being used.
-
-7.3 Evaluate SSL patches
-
- Evaluate/apply Gertjan van Wingerde's SSL patches:
- http://curl.haxx.se/mail/lib-2004-03/0087.html
-
-7.4 Cache OpenSSL contexts
-
- "Look at SSL cafile - quick traces look to me like these are done on every
- request as well, when they should only be necessary once per ssl context (or
- once per handle)". The major improvement we can rather easily do is to make
- sure we don't create and kill a new SSL "context" for every request, but
- instead make one for every connection and re-use that SSL context in the same
- style connections are re-used. It will make us use slightly more memory but
- it will libcurl do less creations and deletions of SSL contexts.
-
-7.5 Export session ids
-
- Add an interface to libcurl that enables "session IDs" to get
- exported/imported. Cris Bailiff said: "OpenSSL has functions which can
- serialise the current SSL state to a buffer of your choice, and recover/reset
- the state from such a buffer at a later date - this is used by mod_ssl for
- apache to implement and SSL session ID cache".
-
-7.6 Provide callback for cert verification
-
- OpenSSL supports a callback for customised verification of the peer
- certificate, but this doesn't seem to be exposed in the libcurl APIs. Could
- it be? There's so much that could be done if it were!
-
-7.7 Support other SSL libraries
-
- Make curl's SSL layer capable of using other free SSL libraries.  Such as
- MatrixSSL (http://www.matrixssl.org/).
-
-7.9 improve configure --with-ssl
-
- make the configure --with-ssl option first check for OpenSSL, then GnuTLS,
- then NSS...
-
-7.10 Support DANE
-
- DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL
- keys and certs over DNS using DNSSEC as an alternative to the CA model.
- http://www.rfc-editor.org/rfc/rfc6698.txt
-
-8. GnuTLS
-
-8.1 SSL engine stuff
-
- Is this even possible?
-
-8.3 check connection
-
- Add a way to check if the connection seems to be alive, to correspond to the
- SSL_peak() way we use with OpenSSL.
-
-9. SMTP
+7. SMTP
 
-9.1 Specify the preferred authentication mechanism
+7.1 Specify the preferred authentication mechanism
 
  Add the ability to specify the preferred authentication mechanism or a list
  of mechanisms that should be used. Not only that, but the order that is
  returned by the server during the EHLO response should be honored by curl.
 
-9.2 Initial response
+7.2 Initial response
 
  Add the ability for the user to specify whether the initial response is
  included in the AUTH command. Some email servers, such as Microsoft
@@ -381,53 +310,53 @@ to provide the data to send.
 
  http://curl.haxx.se/mail/lib-2012-03/0114.html
 
-9.3 Pipelining
+7.3 Pipelining
 
  Add support for pipelining emails.
 
-9.4 Graceful base64 decoding failure
+7.4 Graceful base64 decoding failure
 
  Rather than shutting down the session and returning an error when the
  decoding of a base64 encoded authentication response fails, we should
  gracefully shutdown the authentication process by sending a * response to the
  server as per RFC4954.
 
-10. POP3
+8. POP3
 
-10.1 auth= in URLs
+8.1 auth= in URLs
 
  Being able to specify the preferred authentication mechanism in the URL as
  per RFC2384.
 
-10.2 Initial response
+8.2 Initial response
 
  Add the ability for the user to specify whether the initial response is
  included in the AUTH command as per RFC5034.
 
-10.3 Graceful base64 decoding failure
+8.3 Graceful base64 decoding failure
 
  Rather than shutting down the session and returning an error when the
  decoding of a base64 encoded authentication response fails, we should
  gracefully shutdown the authentication process by sending a * response to the
  server as per RFC5034.
 
-11. IMAP
+9. IMAP
 
-11.1 auth= in URLs
+9.1 auth= in URLs
 
  Being able to specify the preferred authentication mechanism in the URL as
  per RFC5092.
 
-11.2 Graceful base64 decoding failure
+9.2 Graceful base64 decoding failure
 
  Rather than shutting down the session and returning an error when the
  decoding of a base64 encoded authentication response fails, we should
  gracefully shutdown the authentication process by sending a * response to the
  server as per RFC3501.
 
-12. LDAP
+10. LDAP
 
-12.1 SASL based authentication mechanisms
+10.1 SASL based authentication mechanisms
 
  Currently the LDAP module only supports ldap_simple_bind_s() in order to bind
  to an LDAP server. However, this function sends username and password details
@@ -435,18 +364,87 @@ to provide the data to send.
  be possible to use ldap_bind_s() instead specifing the security context
  information ourselves.
 
-13. New protocols
+11. New protocols
 
-13.1 RSYNC
+11.1 RSYNC
 
  There's no RFC for the protocol or an URI/URL format.  An implementation
  should most probably use an existing rsync library, such as librsync.
 
+12. SSL
+
+12.1 Disable specific versions
+
+ Provide an option that allows for disabling specific SSL versions, such as
+ SSLv2 http://curl.haxx.se/bug/feature.cgi?id=1767276
+
+12.2 Provide mutex locking API
+
+ Provide a libcurl API for setting mutex callbacks in the underlying SSL
+ library, so that the same application code can use mutex-locking
+ independently of OpenSSL or GnutTLS being used.
+
+12.3 Evaluate SSL patches
+
+ Evaluate/apply Gertjan van Wingerde's SSL patches:
+ http://curl.haxx.se/mail/lib-2004-03/0087.html
+
+12.4 Cache OpenSSL contexts
+
+ "Look at SSL cafile - quick traces look to me like these are done on every
+ request as well, when they should only be necessary once per ssl context (or
+ once per handle)". The major improvement we can rather easily do is to make
+ sure we don't create and kill a new SSL "context" for every request, but
+ instead make one for every connection and re-use that SSL context in the same
+ style connections are re-used. It will make us use slightly more memory but
+ it will libcurl do less creations and deletions of SSL contexts.
+
+12.5 Export session ids
+
+ Add an interface to libcurl that enables "session IDs" to get
+ exported/imported. Cris Bailiff said: "OpenSSL has functions which can
+ serialise the current SSL state to a buffer of your choice, and recover/reset
+ the state from such a buffer at a later date - this is used by mod_ssl for
+ apache to implement and SSL session ID cache".
+
+12.6 Provide callback for cert verification
+
+ OpenSSL supports a callback for customised verification of the peer
+ certificate, but this doesn't seem to be exposed in the libcurl APIs. Could
+ it be? There's so much that could be done if it were!
+
+12.7 Support other SSL libraries
+
+ Make curl's SSL layer capable of using other free SSL libraries.  Such as
+ MatrixSSL (http://www.matrixssl.org/).
+
+12.8 improve configure --with-ssl
+
+ make the configure --with-ssl option first check for OpenSSL, then GnuTLS,
+ then NSS...
+
+12.9 Support DANE
+
+ DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL
+ keys and certs over DNS using DNSSEC as an alternative to the CA model.
+ http://www.rfc-editor.org/rfc/rfc6698.txt
+
+13. GnuTLS
+
+13.1 SSL engine stuff
+
+ Is this even possible?
+
+13.2 check connection
+
+ Add a way to check if the connection seems to be alive, to correspond to the
+ SSL_peak() way we use with OpenSSL.
+
 14. SASL
 
 14.1 Other authentication mechanisms
 
- Add support for gssapi to SMTP, POP3 and IMAP.
+ Add support for GSSAPI to SMTP, POP3 and IMAP.
 
 15. Client
 
-- 
2.7.4