Peter Sylvester wrote:

> For self signed certrifiates what you need to do is to add a
> certificate validation
> call back and accept the certificate, since the openssl routines will
> not allow to just parameterize the store:

I don't know if that won't work; I only know that populating the X509_STORE
is not practical; dozens of nested structures need initialization.
Nearly all
undocumented, and often confusing. Of course approaching the problem of
understanding this structure from the wrong end doesn't help either :-(

>
>
> To do this you need the sslctx function for curl and set a
> cert_verify_callback
> where you have to check the return code self signed cert in chain and
> level 0
> and change this into ok.

I guess this sounds simpler than it really is...

>
> but another more recommended way is to use you own CA and sign
> the server cert, and then just use the
>
> X509_STORE_add_cert function to set a CA cert, that you have included
>
> in your code.

I looked at openssl's docs, but stoped short of weeding through the header
files to locate usefull functions.... none of the X509_* functions seem to
have documentation, but then again, I may be looking in the wrong place.

>
> in docs/examples/curlx.c some pieces of all this is coded.

Thanks, I'll have a look at that.

It doesn't seem to be linked to from the "libcurl - small example snippets"
page ( http://curl.haxx.se/libcurl/c/example.html ) though...

regards,

Theo
Received on 2005-08-24