cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Curl for https

From: Mischa Salle <mischa.salle_at_gmail.com>
Date: Fri, 2 Aug 2013 12:47:49 +0200

Hi,

If you just need to grab the certificate with a cmdline tool, you can use
e.g. openssl s_client:
 openssl s_client -connect www.example.com:443
You can get the whole chain (not in your case) with
 openssl s_client -showcerts -connect www.example.com:443
Then just copy & paste the lines starting from BEGIN CERTIFICATE till END
CERTIFICATE, which is just the pem encoded cert files.

Hope this is of any help,

Mischa

On Fri, Aug 2, 2013 at 10:37 AM, Bunse, Stephan (Stephan) <
stephan.bunse_at_alcatel-lucent.com> wrote:

> Hello,
>
> I know about the security reasons, and the principle procedure. But right
> now I'm blocked with the first step: How to download the certificate? I
> tried to use CURLOPT_CERTINFO and investigated the result with
> curl_easy_getinfo with the option CURLINFO_CERTINFO. Unfortunately, the API
> description is somewhat vague and I need a more detailed description how to
> do that.
>
> Stephan
>
> On Aug 1, 2013, at 7:26 AM, "Bunse, Stephan (Stephan)" <
> stephan.bunse_at_alcatel-lucent.com> wrote:
>
> > Hello,
> >
> > I want to write a program, which retrieves information using https.
> Unfortunately, the server has a self signed certificate, so curl fails,
> unless the options CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST are
> set to 0. That works, but I would like to download the certificate of the
> server, store it and check against it next time. Does anybody have an idea
> how to do this?
>
>
> I can't really recommend programming an HTTPS client that arbitrarily
> accepts self-signed certificates for obvious security reasons. It's
> probably better to distribute the certificate with the program if it is the
> legitimate certificate.
>
> Anyway, to allow libcurl to work with self-signed certificates once you
> have one: If you are using Schannel or Secure Transport for TLS, then you
> must import the certificate into the system and mark it as trusted. For all
> other engines, save the certificate, and pass the path to it into
> curl_easy_setopt() with the option CURLOPT_CAINFO.
>
> Nick Zitzmann
> <http://www.chronosnet.com/>
>
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>

-- 
Van Boshuizenstraat 443
1082 AR Amsterdam
The Netherlands
Tel. (+31/0)20-4043782

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-08-02