cURL / Mailing Lists / curl-library / Single Mail


Re: Manually verifying certificate before sending HTTP request - is it possible?

From: Georgi Chulkov <>
Date: Mon, 25 Jan 2016 16:47:41 +0100

On 2016-01-23 10:13, Dan Fandrich wrote:
>> ...
>> Is there a
>> way to perform these manual checks on the certificate after it has
>> been
>> received from the server, but before the HTTP request has been
>> transmitted?
> The technique mentioned in
> ought
> to be sufficient for this.

Thanks, Dan!

That technique uses SSL_CTX_set_cert_verify_callback() to override the
OpenSSL built-in verification entirely. Intead of reimplementing
verification from scratch, I used SSL_CTX_set_verify() which sets a
callback to be called after each certificate in the chain has been
checked by OpenSSL's built-in verification.

My current solution looks like this (with error checking omitted for

int sslVerifyCallback(int valid, X509_STORE_CTX* x509Ctx) {
     if (!valid)
         return 0;

     // Only the endpoint certificate needs to be checked.
     if (X509_STORE_CTX_get_current_cert(x509Ctx) != x509Ctx->cert)
         return 1;

     // Validate the common name.
     X509_NAME* subject =
     int idx = -1;
     while (true) {
         idx = X509_NAME_get_index_by_NID(subject, NID_commonName, idx);
         if (idx == -1)
         unsigned char* val;
         int len = ASN1_STRING_to_UTF8(&val,
X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, idx)));
         int validCn = validate_common_name(val);
         if (validCn)
             return 1;
     return 0;

CURLcode sslContextCallback(CURL*, SSL_CTX* sslCtx, void*) {
     SSL_CTX_set_verify(sslCtx, SSL_VERIFY_PEER, &sslVerifyCallback);
     return CURLE_OK;

curl_easy_setopt(curlHandle, CURLOPT_SSL_CTX_FUNCTION,

I hope this will be useful to others.

Best regards

List admin:
Received on 2016-01-25