New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Public-key pinning doesn't work when compiling with '--without-ca-bundle --without-ca-path' #2935
Comments
@moparisthebest you up to check what this is about? |
Debugging through the curl and openssl code, it seems to me that even if public-key pinning is the selected option, CA pinning is also being done, and this is why the failure occurs.
So because the |
I figure you need to explicitly switch off the CA verification with |
Thank you, it works this way. It now says: Actually only disabling But is this safe? In the documentation for |
The documentation for that option doesn't really take pinning into consideration. Key pinning is really an alternative to the regular And as you say, the |
Thanks for the confirmation. That makes it very clear. |
I did this
I compiled curl the following way:
./configure --enable-debug --disable-optimize --enable-curldebug --without-ca-bundle --without-ca-path && make
I obtained the sha256 sum of the server's certificate public key exactly as written here. Then I wrote a small program to try to use public-key pinning:
The output is:
I expected the following
The download should work. When building curl without the "--without-ca-bundle --without-ca-path" flags, the download works.
I first observed this behaviour on a system which had no certificates installed on it, so I used '--without-ca-bundle --without-ca-path' just so that this problem can be more easily reproduced. This can be reproduced with the curl command-line tool as well, if built with the "without-*" flags.
curl/libcurl version
7.61.0
operating system
The text was updated successfully, but these errors were encountered: