cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Using libcurl/SSL with in-core certificate

From: Peter Sylvester <Peter.Sylvester_at_edelweb.fr>
Date: Tue, 23 Aug 2005 16:53:30 +0200

For self signed certrifiates what you need to do is to add a certificate
validation
call back and accept the certificate, since the openssl routines will
not allow to just parameterize the store:

To do this you need the sslctx function for curl and set a
cert_verify_callback
where you have to check the return code self signed cert in chain and
level 0
and change this into ok.

but another more recommended way is to use you own CA and sign
the server cert, and then just use the

   X509_STORE_add_cert function to set a CA cert, that you have included

in your code.

in docs/examples/curlx.c some pieces of all this is coded.

theo borm wrote:

> Dear list members,
>
> I have an application that needs to communicate with a single
> https server using a self-signed certificate. The application needs
> to be wholy self-contained (statically linked, no external data files),
> and must be able to run from a read-only filing system. Therefore
> I cannot install a (modified) certificate bundle, nor can I use
> the default certeficate bundle usually installed with curl (the app)
>
> There does not seem to be an easy libcurl function that can (for
> instance) pass a full (pem) certificate in a string rather than
> a filename to a pem certificate in an external file, and indeed
> openssl does not seem to have an easy interface to accomplish
> this either. So far I have been groveling through the openssl
> X509_STORE structure to see if I can manually fill it using
> my certificate data, but unfortunately this structure is very much
> like spagetthi, and I have the fear that manually poking around
> in it will result in non-portable, non maintainable source code.
>
> Is there a more elegant way to use libcurl with a compiled-in
> certificate?
>
> with kind regards,
>
> Theo Borm
>
>
>
>

-- 
To verify the signature, see http://edelpki.edelweb.fr/ 
Cela vous permet de charger le certificat de l'autorité; 
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. 

Received on 2005-08-23