cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] Pinned public key hash support

From: moparisthebest <>
Date: Mon, 01 Jun 2015 13:05:32 -0400

Hello all,

Attached is my second go at a patch for pinning public keys with a hash.
 It now supports all backends public key pinning supported except for
GSKit, which simply needs a sha256 function (can someone help me out
here? By writing/testing preferably, or pointing me to docs?).

Here is the status of the backend support (all compiled/tested under
Linux, Ubuntu 14.04):
OpenSSL/GnuTLS-with-gcrypt: Written/Compiled/Tested
NSS: Written/Compiled
CyaSSL(WolfSSL)/GnuTLS-with-nettle: Written
GSKit: No Support

Still waiting to hear back on this question:

On 05/29/2015 03:31 PM, moparisthebest wrote:
> 1. Is it safe to re-use the existing curlopt, the code treats it as a
> hash only if it starts with "sha256/" and nothing else, and then will
> not look on the filesystem for a file at all. I suppose this could
> break systems where a der/pem is in a folder named 'sha256/' with no
> leading path parts, but I feel like that's a safe bet? (And by 'break'
> I mean fail-closed, it'll fail to connect with 'curl: (90) SSL: public
> key does not match pinned public key!')

After which I can update documentation, write tests, and hopefully have
a final patch.

Thanks much,
Travis Burtrum

List admin:

  • text/x-patch attachment: stored
Received on 2015-06-01