cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSL connections and authenticity

From: Cris Bailiff <c.bailiff+curl_at_awayweb.com>
Date: Tue, 12 Nov 2002 09:23:41 +1100

On Sun, 10 Nov 2002 11:26 am, Dan Wood wrote:
> I'm trying to verify that my use of libcurl can handle SSL -- and
> without any fanfare, I'm able to connect to test sites like
>
> https://www.stanford.edu/group/idg/leland/samples/secure/test.html
>
> and I just get the page contents, no big deal.
>
> However, I notice that another test site
> <https://www.fortify.net/sslcheck.html> presents an error message:
>
> SSL: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The fortify web site uses a self-signed certificate - it is not signed by one
of the 'well known' certificate authorities included in the 'ca-bundle.crt'
file supplied with curl (since 7.10).

> So I *think* that everything is OK, that SSL is fully working, and it's
> paying attention to certificates.

Yep, you got it - the certificate from a known CA was trusted, and the unknown
one rejected, as should be expected.

> I'm not terribly familiar with these
> kinds of issues, so can anybody who *is* verify that everything is as
> expected? Any other ways that I can test that SSL is working properly?

'Properly' is a big call, especially for a cryptographic protocol ;-), but
basically libcurl is doing what you wanted. You can always use
tcpdump/ethereal to show that the data is encrypted 'on the wire', and
ethereal will break the protocol up quite nicely and show you the handshakes
and certificate exchange.

You can also view the site certificates from your test sites using a regular
browser (or the 'openssl s_client -connect host:port' command), and look at
the certificate details (name, expiry) and signature chain, and manually
verify that you can indeed find the signing certificate in the ca-bundle.crt
file (or not, as appropriate).

You can also change or augment the ssl certificate checking behaviour of
libcurl (as Daniel just explained) to have behaviour similar to typical
browsers (and bypass real security altogether!).

Cris

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
Received on 2002-11-11