cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: libcurl with client ssl certificate

From: Chris Baylis <chrisbay90_at_gmail.com>
Date: Mon, 20 Aug 2012 16:14:24 +1000

Thank you all for your input. It lead me to a little investigation and
as it turns out I didn't know what I was doing with the keys.
Originally the client key was signed by the client itself. I now have
client keys, signed by the web server. And can run simplessl.c with my
keys and curl_easy_setopt(curl,CURLOPT_CAINFO,pCACertFile) disabled.
Curious though how `curl -E cert url` worked in the original
scenerario when simplessl.c did not.

On 20 August 2012 04:31, Ralph Mitchell <ralphmitchell_at_gmail.com> wrote:
> On Sun, Aug 19, 2012 at 1:57 PM, Daniel Stenberg <daniel_at_haxx.se> wrote:
>>
>> On Sun, 19 Aug 2012, Ralph Mitchell wrote:
>>
>>>> static const char *pCertFile = "cert.pem";
>>>>>
>>>>> static const char *pCACertFile="cert.pem";
>>>>
>>>>
>>>> This seems like a highly unlikely scenario. The same file, really?
>>>
>>>
>>> A self-signed cert would be its own CA cert, so it's possible.
>>
>>
>> But the pCertFile is the SSL _client_ cert. It would mean that he uses the
>> client cert file to verify the server cert and still also use that to
>> authenticate to the server. It might be possible, but my money is on a
>> mistake or misunderstanding somewhere.
>
>
> Yes, true!! The *server* would need to have the client's CA chain to
> validate the client cert, and the *client* would need the server's CA chain
> to validate the server cert. If the OP has a self-signed CA cert that
> signed both the client and server certs, the chain file would be the same
> for both ends..
>
> However, command-line curl must have successfully validated the server using
> just the CApath:
>
> * successfully set certificate verify locations:
> * CAfile: none
> CApath: /etc/ssl/certs
>
> so pCACertFile doesn't need setting to cert.pem.
>
>>> so the key would need to be in the same file too. The one thing that I'm
>>> not sure about is the compiled program reporting:
>>>
>>> * found 142 certificates in /etc/ssl/certs/ca-certificates.crt
>>>
>>> when it *should* be looking for CA certs in the file designated by
>>> pCACertFile. Does libcurl automatically look in ca-certificates as well as
>>> any file you designate?
>>
>>
>> Very good remark there! No, libcurl will in that case only use the single
>> file specified in the setopt. It would indicate that he actually has 142
>> certificates in the file. That also hints that it isn't a client cert at
>> all...
>
>
> In command-line curl, -E <filename> specifies a file containing both key and
> matching certificate. Is libcurl going to bail out if it finds multiple
> unrelated certificates in that file, as well as the expected key/cert
> entries? Does the order of the entries matter?
>
> Personally, I'd prefer to keep the key, cert and chain files separate, so I
> know what's where, but I can see there might be reasons for keeping the pem
> files in one big lump.
>
> Ralph Mitchell
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-08-20