cURL / Mailing Lists / curl-library / Single Mail

curl-library

Using CURLOPT_SSL_VERIFYHOST

From: Nilesh <nilesh_at_kenati.com>
Date: Wed, 22 Mar 2006 11:58:12 +0530

Hi All,

Requirement: Want to validate certificate coming for server when 'https'
is used
My application wants to validate certificate coming for server. This
validation should be based on only ipaddress/hostname of the server
which will be part of the certificate subject as CN (CommonName). My
application know hostname/ipaddress of server from which certificate
will come.

Curl support: version 7.15.1, with openssl 0.9.7
Curl gives an option CURLOPT_SSL_VERIFYHOST to check if certificate is
coming from desired server.
What man page says is curl will compare hostname/ipaddress of the URL
with CN of incoming certificate.
But what I found is it requires local certificate with CN name set to
hostname/ipaddress. This certificate has to be stored on client side
specified by CURLOPT_CAINFO and CURLOPT_CAPATH.
As I understand it will basically compare CN portion of the certificates
(inside stored local certificate and incoming certificate) and say if it
is valid or not. Am I correct ?

Query:
Is it possible if I can specify (set) the ipaddress/hostname and let
curl use only that for comparing against CN of certificate coming from
server ?
That way I don't require certifcate to be stored on client side beforehand.

I hope I am clear on issue I am facing while doing certificate
validation. Let me know if anybody want piece of code I tried.

Any criticism, help, direction, knowledge, workaround in this regard
will be helpful and thankful.

Thanks,
Nilesh
Received on 2006-03-22