cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: CURLOPT_SSLCERT to verify a server and do mutual key exchange

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sun, 1 Apr 2012 20:34:14 +0200 (CEST)

On Tue, 20 Mar 2012, Paul Bergen wrote:

(First, please excuse the time I've taken to respond to this!)

> I created an app which uses libcurl to post some data to 5 different
> servers. To keep it a closed and secure system, they're giving me the
> public keys for the 5 server, which I store in my app. ie: server1.foo.com
> = [cert1], server2.foo.com = [cert2].
>
> I'm supposed to hardcode it so that when I do the http post to their
> server, I will ONLY connect to the server with the cert they gave me
> for it. And, when they receive the http post, they will only accept
> it if it's coming from my specific server.

To me, that sounds as if the POST receivers should require a client
certificate from you...

> I'm reading the docs for CURLOPT_SSLCERT but it says: "The string should be
> the file name of your certificate". I'm assuming YOUR certificate, means
> this isn't referring to the public key on the server which I will accept.

With SSL you don't normally tell which certificates to accept. You have a list
ofr certs for CAs that you trust, and then servers' certs are checked if they
are signed by one of the trusted CAs.

In this case, this particular option refers to your *client* cert.

> While googling for how to do this I saw this post:
> http://curl.haxx.se/mail/curlphp-2005-11/0044.html which says that to use
> CURLOPT_SSLCERT I need to set a path to a private key. Which seems
> confusing because normal https afaik involves just 1 key -- a public key
> which you get from the server.

If you use client certs you need a key for that as well.

> Unless I'm missing the purpose of CURLOPT_SSLCERT and it's not used to
> verify a specific key from a server.

You make libcurl accept only a particular key, I can think of at least two
ways: you would either have your own private CA cert (for each server) and
only trust that for each server, or you can use CURLOPT_SSL_CTX_FUNCTION to
craft up your own customized check.

> Separately, in my case, though, they want to use 'mutual' authentication
> where I actually DO have my own key on top of this. I assumed
> CURLOPT_SSLKEY is the correct option to set my private key, and that if I
> set this, then the curl request would use mutual authentication instead of
> simple. But I wasn't clear on this from the docs.

If you by mutual auth mean client certificate in addition to verifying the
server's, then yes.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2012-04-01