cURL / Mailing Lists / curl-library / Single Mail

curl-library

CURLOPT_SSLCERT to verify a server and do mutual key exchange

From: Paul Bergen <bergen.p0_at_gmail.com>
Date: Tue, 20 Mar 2012 21:31:29 -0700

I created an app which uses libcurl to post some data to 5 different
servers. To keep it a closed and secure system, they're giving me the
public keys for the 5 server, which I store in my app. ie:
server1.foo.com = [cert1], server2.foo.com = [cert2].

I'm supposed to hardcode it so that when I do the http post to their
server, I will ONLY connect to the server with the cert they gave me
for it. And, when they receive the http post, they will only accept
it if it's coming from my specific server. So, if I do: 'curl
https://something.com' it will fail, even if something.com is a
totally legit server with a valid key, unless the public key is the
one I specify.

I'm reading the docs for CURLOPT_SSLCERT but it says: "The string
should be the file name of your certificate". I'm assuming YOUR
certificate, means this isn't referring to the public key on the
server which I will accept. While googling for how to do this I saw
this post: http://curl.haxx.se/mail/curlphp-2005-11/0044.html which
says that to use CURLOPT_SSLCERT I need to set a path to a private
key. Which seems confusing because normal https afaik involves just 1
key -- a public key which you get from the server. And I wasn't sure
why limiting curl to using a specific public key would require a
private key. Unless I'm missing the purpose of CURLOPT_SSLCERT and
it's not used to verify a specific key from a server.

Separately, in my case, though, they want to use 'mutual'
authentication where I actually DO have my own key on top of this. I
assumed CURLOPT_SSLKEY is the correct option to set my private key,
and that if I set this, then the curl request would use mutual
authentication instead of simple. But I wasn't clear on this from the
docs.

Anybody know if there's some resource this process a bit more in depth?

Thanks
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-03-21