I think SSL may be a big baffling to me as the term "CA Cert" gets used a lot
but I am not to clear where libcurl looks to find these CA's.

The sample code cacertinmem.c compiles neatly and I tried to replace the
contents of the "char * mypem" variable with pem contents I extracted
using openssl :

openssl s_client -connect www.targetsite.com:443 -CApath /usr/local/ssl/certs -showcerts

I get lovely looking somewhat like :

CONNECTED(00000004)
depth=2 O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Certification Authority (2048)
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C
verify return:1
depth=0 C = US, ST = New York, L = New York, O = Some Company Name, CN = www.targetsite.com
verify return:1

So that looks quite nice.

I am thinking, based on the docs for curl_easy_setopt, that I can set a filename via CURLOPT_SSLCERT that contains a bundle of PEM data with the required PEM goodness
in it like so :

$ cat /usr/local/ssl/certs/Entrust.net_Premium_2048_Secure_Server_CA.pem \
> /usr/local/ssl/certs/Entrust.net_Secure_Server_CA.pem \
> /usr/local/ssl/certs/Entrust_Root_Certification_Authority.pem > Entrust_bundle

Then somehow, magically, watch libCurl use that as the place to look for a CA Cert.

Am I on the right path here ?

dc

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-03-12