curl-library
Re: OpenSSL: Multiple CA paths
Date: Sun, 22 Jul 2012 10:42:12 +0200
On 20-07-12 22:13, Daniel Stenberg wrote:
> On Fri, 20 Jul 2012, pcworld wrote:
>
>> is it currently possible to set multiple paths in CURLOPT_CAPATH, or any
>> other way to achieve this?
>
> No. OpenSSL only allows a single path or a single file.
Well, OpenSSL has an underlying interface to do it. Also the storage in an
X509_STORE struct is declared as "STACK_OF(X509_LOOKUP) *get_cert_methods;"
which gives a hint of multiplicity.
The normal file and hash_dir call is actually two calls, one to
X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file()); and one to
X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_hash_dir()); with
X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM) and
X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM) respectively to extend
the lookup methods in the SSL_CTX_STORE.
With respect to libcurl this means you'll have to construct your own SSL_CTX
and add your custom lookups to an SSL_CTX_STORE. There is an example[0] on
the libcurl pages.
I've never had the need for this myself, but somebody on StackOverflow[1]
dared to state it worked for him/her. And here[2] is an example of some code
that is NOT using libcurl, but does use the lower-level lookup sequences to
setup an SSL_CTX.
Warning/Disclaimer: this method will exclusively work with OpenSSL, other
SSL implementation will have different/other limitations and libcurl can be
used with other SSL implementation.
cheers,
Oscar
[0]: http://curl.haxx.se/libcurl/c/cacertinmem.html
[1]:
http://stackoverflow.com/questions/7642152/using-openssl-and-want-to-use-multiple-ca-dirs-for-load-verify-locations
[2]:
https://ndpfsvn.nikhef.nl/repos/mwsec/trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-07-22