cURL / Mailing Lists / curl-library / Single Mail



From: Thomas Glanzmann <>
Date: Mon, 11 Jan 2016 10:02:13 +0100

Hello Ray,

* Ray Satiro <> [2016-01-11 09:25]:
> Also I notice if peer verification is disabled the SSLpinning result
> isn't checked. This was not caught by the tests so I'll add a test for
> that.

I noticed that, too. But I thought this was the intended behaviour
because OpenSSL does the same.

See here:

Or in one sentence, if VERIFYPEER is 0, VERIFYHOST is set to zero which
means that strict is 0. If strict is 0, the certificate pinning is not
done. Or did I miss something?

I would prefer that pinning is always done if there is a pin
nevertheless verifypeer is enabled or not, but we should agree what we
do here and than do it for all SSL backends the same.

> I propose a different solution for both of those issues. Rather than
> call Curl_pin_peer_pubkey during certificate verification from a
> verify callback we call it after the certificate verification (in
> mbedtls_connect_step2). I think that would be an easier way to deal
> with it. See code at [1].

I tested your method and it works for my usecase.

> - There is a comment in the code that says a peer cert is not available
> after an SSL session resume, specifically "If the session was resumed, there
> will be no peer cert". It appears that was copied from PolarSSL. I looked in
> the mbedTLS documentation to confirm but there's nothing documented in
> mbedtls_ssl_get_peer_cert. However mbedtls_ssl_get_session [2] has a notice
> that says "Currently, peer certificate is lost in the operation." Yet I
> tested it and the peer certificate seems to be available on resume:

> ./curl -v --pinnedpubkey
> sha256//C4G4mPCYzTEVZBFSwJ5u+IxQYaKOxhQwBz7YeD/ELxk=

I'll ask on the mbedtls mailing list and ask them.

> - mbedtls_pk_write_pubkey_der expects a mbedtls_pk_context that is non-const
> [3], but mbedtls_ssl_get_peer_cert returns a const certificate. I don't see
> a way to make a non-const copy of the public key but there is probably a way
> to do this, or copy the cert or some parent container.

I'll have a look at that and come back to you.

List admin:
Received on 2016-01-11