On 21 Feb 2014, at 13:47, Daniel Stenberg wrote:

> No, that's not possible. You either

a couple of additions in line.

>
> 1) have the client verify the server cert, and you do that with a CA cert
> bundle. That makes sure from the client side that you speak to the correct
> server. (But again, the server does not know if you do this check or not in
> the client side.)
>
> and/or

"and/or" meaning here that you can do (1), you can do (2), you can do neither
or you can do both. They are entirely independent

>
> 2) have the server verify the client, and you do that with a client cert (and
> key) that is sent to the server in the TLS negotiation. That allows the
> server to verify that it speaks to a correct client. This is rarely used.

That is correct, but I'd add the server validates the client certificate too.
Depending on the configuration, this may be an explicit list of client
certificates, or check on the CN / subject of the client certificates and a
CA bundle or CA cert to ensure they were correctly signed.

> Since you seem to be talking about case (1), you want the CA cert bundle to verify the server cert. No client cert involved.

I think what OP is saying is that the host has now updated its server
side certificates (perhaps using CA signed ones rather than self-signed
ones), so he now wants to avoid using -k and verify the certificates
properly. For this, he needs a CA cert bundle installed.

This is normally the set of public keys of certificate authorities
and versions of curl with Linux distributions tend to come with
those installed or easily installable. I believe he's asking
how to do that on HP-UX, which will I think depend on how he (or
HP) built curl.

-- 
Alex Bligh
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html