cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Download SSL Server Certificate?

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 7 Oct 2015 11:00:37 +0200 (CEST)

On Tue, 6 Oct 2015, Boris Lenz wrote:

> I'm not an expert on SSL by any means, but the way I understand the "SSL
> handshake process" is that the server sends its certificate first. If client
> authentication is required, the client will then send its certificates.

Yes, that roughly matches my understanding of it as well.

> This will fail here, but at that time, I, as the client, already received
> the server's certificate.

The server sends its certificate so that you (as a client) can verify that
you're communicating with the correct server. You verify the server's cert
with the use of a CA cert bundle.

When you use a client certificate, you (as a client) send that to the server
to have the server authenticate (using digital signatures) that you are indeed
the client you say you are. Client certificates are not used a lot and also, a
client certificate is something you're supposed to get from the server admins
over another channel. Usually on a physical media handed over in person is
recommended.

So if you're really talking about using a client certificate, you must make
sure you have one. And its associated key. And you cannot just download them
from the server you're trying to authenticate with, as that would be the most
stupid authentication system in history.

However, since client certificates are so rarely used there's also a big
chance you actually are doing something else and are just confusing terms.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2015-10-07