cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: curl + polarssl certificate validation problem

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 29 Jul 2010 23:47:15 +0200 (CEST)

On Sun, 25 Jul 2010, Paul Bakker wrote:

(I'm CC'ing this response to the curl-library list which might be a better
list to keep this discussion on.)

> Within the PolarSSL patch in cURL, there is a call to
> ssl_get_verify_result(), where the result of the certification validation is
> retrieved.
>
> In case of a self-signed certificate, where the CA certificate is not passed
> to the library as trusted, PolarSSL will return BADCERT_NOT_TRUSTED.

I believe there's a bug there.

The PolarSSL return code 'BADCERT_CN_MISMATCH' sounds like it indicates that
the host name that is requested doesn't match the peer's certificate. In
libcurl this is controlled by a separate bit than the one that checks all
other certificate details.

I don't have a polarssl install prepared right now to test, but I suggest a
patch similar to the one I attach here. I'll appreciate comments/flames/praise
on how it behaves.

-- 
  / daniel.haxx.se


-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2010-07-29