cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: curl : cert_verify_callback

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 28 Jun 2001 13:40:10 +0200 (MET DST)

On Thu, 28 Jun 2001, Nic Roets wrote:

[CC'ed to the curl mailing list, please direct further discussion in this
subject to the list. I won't always be around personally.]

> Maybe "cert_verify_callback" in lib/ssluse.c should return the ok
> variable instead of 1 ? This will mean that a certificate error will
> cause an abort.

That is probably a good idea, at least when peer verification is required.
Maybe we should make that into two different functions for weather peer
verification is on or off. Or?

> The current problem with cert_verify_callback is the following :

> For some servers you want to POST a username & password, or they
> use the basic authenication method. So checking so an invalid
> cert MUST cause an abort, otherwise it may happen that you reveal
> the password to an unauthorized party.

I realize that. I'm not very good at SSL tech though, and not OpenSSL either,
so I need people like you to tell me/fix problems like this.

Thanks. Will a simple change from '1' to 'ok' work?

> I also attached Engelschall's pem file that he extracted from Navigator.

[Note to the list readers: this is not included in this reply]

> Maybe you should bundle this with the program ?

I'd prefer not to include another 108 KB in the release archive. I won't have
any problems with offering it from the curl web site though, if the licensing
of it allows that.

I will not have time to do any modifications of curl/libcurl until August. If
you can't do it yourself, our hope is left for other curl hackers on the
mailing list...

-- 
     Daniel Stenberg -- curl dude -- http://curl.haxx.se/
Received on 2001-06-28