On 03-10-12 09:47, Oscar Koeroo wrote:

> Hi,

>

> Do you have more information on how/why it failed. For example by using
the verbose output?>

>

> There are two options to toggle:

> curl_easy_setopt(hc->curl, CURLOPT_SSL_VERIFYPEER, 1L);

> curl_easy_setopt(hc->curl, CURLOPT_SSL_VERIFYHOST, 2L);

>

> Details are available in the documentation. Setting both to zero is equal
to the "-k" option.>

>

>

> If you also want to remove the usage of the default included CA bundle
(this is an add-on to the previous options), then you could write a small
SSL_CTX > callback function:

> curl_easy_setopt(hc->curl, CURLOPT_SSL_CTX_FUNCTION,
*sslctx_function);

>

> This callback function will prepare a bare SSL_CTX and by default is has
no default CA location inclusion, like the CA bundle file.

>

>

> Oscar

>

> On 02-10-12 19:55, Bill Lear wrote:

> > I have an unusual situation with an embedded SSL client using libcurl.

> >

> > I need to send a client certificate to the server for validation even

> > though the client does not validate the server certificate.

> > (CURLOPT_SSL_VERIFYPEER = 0)

> >

> > Is this possible? I have confirmed that I can establish a connection
when I supply a CACert bundle and set VERIFYPEER = 1, but the connection is
refused when I set VERIFYPEER = 0.

> >

> > Thanks,

> >

> > Bill

Oscar, Sorry for the delayed response.

I found a way to avoid the problem I was seeing.

The failing test code was:

     curl_easy_setopt(hCurl, CURLOPT_SSLCERT, "path/to/ClientCert");

     curl_easy_setopt(hCurl, CURLOPT_CAINFO, "path/to/CABundle");

     curl_easy_setopt(hCurl, CURLOPT_SSL_VERIFYHOST, 2L);

     curl_easy_setopt(hCurl, CURLOPT_SSL_VERIFYPEER, 0); // set to 1 to
validate server cert, 0 to skip validation

    .

    curl_easy_perform(hCurl);

With this code, when I set CURLOPT_SSL_VERIFYPEER to 0, libcurl verbose
messages would correctly indicate,

"self signed certificate in certificate chain (19), continuing anyway."

but the connection would fail (server would return 500).

When I changed the code to a more appropriate version:

     curl_easy_setopt(hCurl, CURLOPT_SSLCERT, "path/to/ClientCert");

     curl_easy_setopt(hCurl, CURLOPT_CAINFO, NULL);

     curl_easy_setopt(hCurl, CURLOPT_SSL_VERIFYHOST, 0);

     curl_easy_setopt(hCurl, CURLOPT_SSL_VERIFYPEER, 0);

I was able to correctly establish a connection without validating the server
certificate.

I did not have time to investigate why this fixed my problem, but am happy
with the results.

Thanks

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-10-06