cURL / Mailing Lists / curl-library / Single Mail

curl-library

Custom verification of server side certs

From: Alex Bligh <alex_at_alex.org.uk>
Date: Fri, 10 Jul 2015 12:24:13 +0100

We have a situation where we have a custom CA that has signed
server and client certificates.

The server certificates have CNs (like "server-abcde") which
are unrelated to the URL used to access them e.g.
   "https://192.168.100.2:8443/"

I think I need to leave CURLOPT_SSL_VERIFYPEER turned on to
ensure the cert is signed by the correct CA.

Obviously I don't libcurl to verify that the CN matches the URL
as it won't. So I need to turn off CURLOPT_SSL_VERIFYHOST. However, I
still want to check the CN against something, as I know what the
CN should be.

What I'd really like to do is supply some form of certificate validation
callback which would allow me to inspect the CN and drop the
connection if it is incorrect.

However I don't think I can do that - correct?

What is the easiest way to read the CN post connection but before
I send any (private) data? Do I have to do CURLOPT_CERTINFO
then wade through curl_easy_getinfo / CURLINFO_CERTINFO ? At
what point is this information available? The man page says:

"assuming you had CURLOPT_CERTINFO enabled when the previous
request was done"

which implies the data is only there where the request has
completed - by which time it's obviously too late.

-- 
Alex Bligh
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2015-07-10