cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Manually verifying certificate before sending HTTP request - is it possible?

From: Dan Fandrich <dan_at_coneharvesters.com>
Date: Sat, 23 Jan 2016 10:13:16 +0100

On Sat, Jan 23, 2016 at 12:46:38AM +0100, Georgi Chulkov wrote:
> Hello,
>
> My application uses libcurl to connect to a HTTPS server, but I would like
> to perform manual checks on the server's certificate before sending my
> request. In particular, I would like to compare the Distinguished Name
> within the certificate to a specific string, which is different than the
> server's hostname.
>
> My current approach is:
> curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
> curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
> curl_easy_setopt(curl, CURLOPT_CERTINFO, 1);
> curl_easy_perform(curl);
> curl_easy_getinfo(curl, CURLINFO_CERTINFO, &info);
> ... examine info->certinfo[0]
>
> The problem is that I can only validate the DN after the fact. Is there a
> way to perform these manual checks on the certificate after it has been
> received from the server, but before the HTTP request has been transmitted?

The technique mentioned in http://curl.haxx.se/mail/lib-2015-02/0071.html ought
to be sufficient for this.

>>> Dan
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2016-01-23