cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: In TLS v1.1 X509_STORE_CTX_get_current_cert always returning NULL

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 24 Sep 2015 10:11:09 +0200 (CEST)

On Thu, 24 Sep 2015, puneet bist wrote:

> I was earlier using SSL 0.9.8 with curl 7.39.0. Server used TLSv1.0 for
> communication. I used " curl_easy_setopt(curl_handle,
> CURLOPT_SSL_CTX_FUNCTION, ctx_callback);" for self-signed certificates
> fingerprint matching.
>
> In callback function X509_STORE_CTX_get_current_cert always gave the
> certificate which i used to extract the fingerprint. It was working fine.
>
> Now i builded curl 7.39.0 with openssl 1.0.2d and Server used TLSv1.1 for
> communication. But X509_STORE_CTX_get_current_cert always returning NULL. So
> i am not able to check the fingerprint .

The callback simply gets the CTX pointer passed to it that libcurl has, so
this is unfortunately not something libcurl affects. In a *SSL_CTX_FUNCTION
callback like this you interface directly with OpenSSL and I believe you need
to dig down into OpenSSL to figure out why it now returns a different result
now compared to before.

Maybe you can consider switching to CURLOPT_PINNEDPUBLICKEY anyway to avoid a
custom callback?

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2015-09-24