cURL / Mailing Lists / curl-users / Single Mail

curl-users

RE: curl configuration on HP-UX

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 21 Feb 2014 14:47:08 +0100 (CET)

On Fri, 21 Feb 2014, John Nisbet wrote:

> Please excuse incorrect use of terminology. You are correct, the server is
> requiring a client certificate to verify the server cert.

No, that's not possible. You either

1) have the client verify the server cert, and you do that with a CA cert
    bundle. That makes sure from the client side that you speak to the correct
    server. (But again, the server does not know if you do this check or not in
    the client side.)

  and/or

2) have the server verify the client, and you do that with a client cert (and
    key) that is sent to the server in the TLS negotiation. That allows the
    server to verify that it speaks to a correct client. This is rarely used.

Since you seem to be talking about case (1), you want the CA cert bundle to
verify the server cert. No client cert involved.

> (1) downloaded the prescribed certificate files and copied them to the
> server

> (2) converted them to .pem using openssl x509 . . . .
> (3) built the certificate bundle by
> - making a copy of an existing .pem file
> - appending each of the files in (2) to this copy
> - saving the new file under a new name
> (4) specified this new file as
> CURL_CA_BUNDLE=<path/filename>; export CURL_CA_BUNDLE
>
> Is there something else that we have to do?

It depends. Ideally that would be all that's required, but you need to make
sure that (1) truly is the correct CA cert - and sometimes you also need CA
certs for other entities in the trust chain.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2014-02-21