Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Consistent certificate validation

From: François via curl-users <curl-users_at_cool.haxx.se>
Date: Wed, 4 Dec 2019 21:20:59 +0100

curl certificate validation seems to depend on the SSL library used to
build curl.
In some cases like when linking with openssl,you need to provide the
root certificate to be able to connect with curl --capath or curl
--cacert. In case you are using the -capath option and curl is built
with openssl, you must use c_rehash to create the needed symlinks.

However if curl is built like this without openssl like in this example:
$ curl -V
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10
zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
NTLM_WB SSL libz TLS-SRP UnixSockets

there is no need to create the symlinks with c_rehash, also you don't
need to have the root certificate within the capath folder, and you
can just provide the server certificate to cacert. curl will not
complain about any "self signed certificate in certificate chain"
because it did not know about the root CA.

This is bothering because I don't want to authorize every single
certificate signed by an authority, but just a single one, which
subject is matching the server I'm targeting. It also means that a
script calling curl --cacert might break following an update of curl,
so in the end the most portable way to use curl remains to use the
--insecure option.

The documentation that curl links you to in case you get a "self
signed certificate" is pretty detailed but does not address this
openssl peculiarity (eg it mentions the openssl -showcerts command,
but does not mention that you cannot just take any of the certificates
there, you need to use the self-signed root one in the case curl is
linked with openssl). If my understanding is correct, do you think
there is either a way to change the way openssl is called to verify
the certificate chain, or if there is anything clearer that could be
replied to the user in case of certificate issue (so that the user
does not automatically goes to the --insecure option)?

Thank you!
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-12-04