cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: libcurl with client ssl certificate

From: Ralph Mitchell <ralphmitchell_at_gmail.com>
Date: Sun, 19 Aug 2012 14:31:07 -0400

On Sun, Aug 19, 2012 at 1:57 PM, Daniel Stenberg <daniel_at_haxx.se> wrote:

> On Sun, 19 Aug 2012, Ralph Mitchell wrote:
>
> static const char *pCertFile = "cert.pem";
>>>
>>>> static const char *pCACertFile="cert.pem";
>>>>
>>>
>>> This seems like a highly unlikely scenario. The same file, really?
>>>
>>
>> A self-signed cert would be its own CA cert, so it's possible.
>>
>
> But the pCertFile is the SSL _client_ cert. It would mean that he uses the
> client cert file to verify the server cert and still also use that to
> authenticate to the server. It might be possible, but my money is on a
> mistake or misunderstanding somewhere.

Yes, true!! The *server* would need to have the client's CA chain to
validate the client cert, and the *client* would need the server's CA chain
to validate the server cert. If the OP has a self-signed CA cert that
signed both the client and server certs, the chain file would be the same
for both ends..

However, command-line curl must have successfully validated the server
using just the CApath:

     * successfully set certificate verify locations:
     * CAfile: none
       CApath: /etc/ssl/certs

so pCACertFile doesn't need setting to cert.pem.

so the key would need to be in the same file too. The one thing that I'm
>> not sure about is the compiled program reporting:
>>
>> * found 142 certificates in /etc/ssl/certs/ca-**certificates.crt
>>
>> when it *should* be looking for CA certs in the file designated by
>> pCACertFile. Does libcurl automatically look in ca-certificates as well as
>> any file you designate?
>>
>
> Very good remark there! No, libcurl will in that case only use the single
> file specified in the setopt. It would indicate that he actually has 142
> certificates in the file. That also hints that it isn't a client cert at
> all...

In command-line curl, -E <filename> specifies a file containing both key
and matching certificate. Is libcurl going to bail out if it finds
multiple unrelated certificates in that file, as well as the expected
key/cert entries? Does the order of the entries matter?

Personally, I'd prefer to keep the key, cert and chain files separate, so I
know what's where, but I can see there might be reasons for keeping the pem
files in one big lump.

Ralph Mitchell

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-08-19

This message: [ Message body ]
Next message: Nick Zitzmann: "Building for Win64..."
Previous message: Daniel Stenberg: "Re: libcurl with client ssl certificate"
In reply to: Daniel Stenberg: "Re: libcurl with client ssl certificate"
Next in thread: Chris Baylis: "Re: libcurl with client ssl certificate"
Reply: Chris Baylis: "Re: libcurl with client ssl certificate"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]