cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Antw: Re: libcurl client-certificate based authentication via https

From: Jochen Schaefer <jschaef_at_novell.com>
Date: Thu, 28 Jul 2011 08:28:05 +0100

Alex, Dan,

sorry for the confusion - you both are right - I ment like Alex wrote below:
<<>> Alex Bligh 07/27/11 8:01 PM >>>
Jochen,

--On 27 July 2011 17:56:13 +0100 Jochen Schaefer wrote:

> may be I've been unclear. The --libcurl option gives some hints how to
> write your own curl-app. But that is not the desired way here. We are
> using a standard libcurl within an initrd from SuSE during the
> boot/install process and do not want to recompile/change SuSE's libcurl.
> The question was if libcurl is searching at any default place for a
> client-certificate or does it read any environment which tells libcurl
> to use a certain client-certificate?

I am a bit confused.

Firstly you said this:

> I need to configure client-certificate based https communication to an
> apache2 webserver via libcurl from a linux server.
>
> I'm able to build a valid connection via curl cmdline tool and --cert
> and --capath parameter. Specifying them in .curlrc is working fine as
> well as specifying them on cmdline.
>
> However since the application is using libcurl and not curl cmdline tool
> it does not parse .curlrc.

What I would suggest you do is:

1. Run curl via the command line in a manner where it works (with
   the --cert and --capath parameters) but also with the --libcurl option.

2. Run curl via the command line in a manner where it does not work (without
   the --cert and --capath parameters) but with the --libcurl option.

3. Determine the difference between the output of (1) and (2)

4. Integrate those difference into your application.

For reference I think you want:

  curl_easy_setopt(object, CURLOPT_CAPATH, "/path/to/ca");

for the CA path, I'm not sure about --cert.

But then you said this:

> I don't know how to tell libcurl to use a certain client certificate for
> the connection. The tool which will be used is an external tool. Hacking
> it and specify the appropriate options in the code like outlined in the
> FAQ is not possible.

I think what you are saying is that this third party tool uses libcurl,
but you cannot change it so that it calls libcurl with the appropriate
options as per (4) above. My understanding is that it is up to this
application to provide proper paths, and libcurl itself isn't reading
it from environment variables etc. If you really can't fix the application
concerned, you may have to an evil hack such as LD_PRELOAD a custom
library and pass the relevant options. EG trap one existing curl call
to do a setopt, and inject another.

-- 
Alex Bligh
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2011-07-28