Re: [PATCHv2] mbedtls: Implement CURLOPT_PINNEDPUBLICKEY
Date: Wed, 13 Jan 2016 21:03:02 +0100
> I thought we already do this , I'm at a loss for why session resume
> doesn't work if in fact it doesn't. I recall it did appear to resume
> for me, probably I had a different google server than you.
does it work for you? I tried with session id and tickets and used curl
debug output as well as wireshark. And I could not see that it even
tried to resume. But maybe I missed something.
> Ok we should be fine then since 1.3.0 is when it was polarssl not
> mbedtls. As far as checking each key in the chain, and your reply in
> that thread  where you said you would implement pinning not only
> for the peer cert (I assume you want to for every cert in the chain),
> note that is not the way it is implemented for the other backends.
> The CURLOPT_PINNEDPUBLICKEY documentation  says "the server sends a
> certificate indicating its identity. A public key is extracted from this
> certificate and if it does not exactly match the public key provided to this
> option, curl will abort the connection before sending or receiving any data.
> " Therefore I'd bring up chain pinning as a separate discussion if you want
> to see it implemented.
I see. If this is the intended behaviour, than we leave it at this.
> Further, to your comments in a previous e-mail about pinning, it was
> intended that the pinning check takes place even if verifypeer is disabled.
> Though this is not explicitly documented and there's no test for it (I'm
> working on that, haven't forgotten) that is the way it should be implemented
> across all backends including OpenSSL. Specifically in reference to the line
> you cited in openssl.c  there's no return there so I think you misread
You're right. I tested it against OpenSSL and certificate pinning is
enforced even when verifypeer is 0. I just wrote a test program and it
confirms what you say. I though I had this tested before but apparently
I did not.
List admin: http://cool.haxx.se/list/listinfo/curl-library
Received on 2016-01-13