cURL / Mailing Lists / curl-library / Single Mail


Re: SSL with Client Cert but without Server cert validation?

From: William Lear <>
Date: Sat, 6 Oct 2012 11:53:15 -0400

On 03-10-12 09:47, Oscar Koeroo wrote:

> Hi,


> Do you have more information on how/why it failed. For example by using
the verbose output?>


> There are two options to toggle:

> curl_easy_setopt(hc->curl, CURLOPT_SSL_VERIFYPEER, 1L);

> curl_easy_setopt(hc->curl, CURLOPT_SSL_VERIFYHOST, 2L);


> Details are available in the documentation. Setting both to zero is equal
to the "-k" option.>



> If you also want to remove the usage of the default included CA bundle
(this is an add-on to the previous options), then you could write a small
SSL_CTX > callback function:

> curl_easy_setopt(hc->curl, CURLOPT_SSL_CTX_FUNCTION,


> This callback function will prepare a bare SSL_CTX and by default is has
no default CA location inclusion, like the CA bundle file.



> Oscar


> On 02-10-12 19:55, Bill Lear wrote:

> > I have an unusual situation with an embedded SSL client using libcurl.

> >

> > I need to send a client certificate to the server for validation even

> > though the client does not validate the server certificate.


> >

> > Is this possible? I have confirmed that I can establish a connection
when I supply a CACert bundle and set VERIFYPEER = 1, but the connection is
refused when I set VERIFYPEER = 0.

> >

> > Thanks,

> >

> > Bill


Oscar, Sorry for the delayed response.

I found a way to avoid the problem I was seeing.


The failing test code was:

     curl_easy_setopt(hCurl, CURLOPT_SSLCERT, "path/to/ClientCert");

     curl_easy_setopt(hCurl, CURLOPT_CAINFO, "path/to/CABundle");

     curl_easy_setopt(hCurl, CURLOPT_SSL_VERIFYHOST, 2L);

     curl_easy_setopt(hCurl, CURLOPT_SSL_VERIFYPEER, 0); // set to 1 to
validate server cert, 0 to skip validation




With this code, when I set CURLOPT_SSL_VERIFYPEER to 0, libcurl verbose
messages would correctly indicate,

"self signed certificate in certificate chain (19), continuing anyway."

but the connection would fail (server would return 500).


When I changed the code to a more appropriate version:

     curl_easy_setopt(hCurl, CURLOPT_SSLCERT, "path/to/ClientCert");

     curl_easy_setopt(hCurl, CURLOPT_CAINFO, NULL);

     curl_easy_setopt(hCurl, CURLOPT_SSL_VERIFYHOST, 0);

     curl_easy_setopt(hCurl, CURLOPT_SSL_VERIFYPEER, 0);


I was able to correctly establish a connection without validating the server


I did not have time to investigate why this fixed my problem, but am happy
with the results.




List admin:
Received on 2012-10-06