Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Manually verifying certificate before sending HTTP request - is it possible?

From: Georgi Chulkov <georgi_at_guinpen.eu>
Date: Mon, 25 Jan 2016 16:47:41 +0100

On 2016-01-23 10:13, Dan Fandrich wrote:
>> ...
>> Is there a
>> way to perform these manual checks on the certificate after it has
>> been
>> received from the server, but before the HTTP request has been
>> transmitted?
>
> The technique mentioned in
> http://curl.haxx.se/mail/lib-2015-02/0071.html ought
> to be sufficient for this.

Thanks, Dan!

That technique uses SSL_CTX_set_cert_verify_callback() to override the
OpenSSL built-in verification entirely. Intead of reimplementing
verification from scratch, I used SSL_CTX_set_verify() which sets a
callback to be called after each certificate in the chain has been
checked by OpenSSL's built-in verification.

My current solution looks like this (with error checking omitted for
clarity):

int sslVerifyCallback(int valid, X509_STORE_CTX* x509Ctx) {
     if (!valid)
         return 0;

     // Only the endpoint certificate needs to be checked.
     if (X509_STORE_CTX_get_current_cert(x509Ctx) != x509Ctx->cert)
         return 1;

     // Validate the common name.
     X509_NAME* subject =
X509_get_subject_name(X509_STORE_CTX_get_current_cert(x509Ctx));
     int idx = -1;
     while (true) {
         idx = X509_NAME_get_index_by_NID(subject, NID_commonName, idx);
         if (idx == -1)
             break;
         unsigned char* val;
         int len = ASN1_STRING_to_UTF8(&val,
                                       
X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, idx)));
         int validCn = validate_common_name(val);
         OPENSSL_free(val);
         if (validCn)
             return 1;
     }
     X509_STORE_CTX_set_error(x509Ctx,
X509_V_ERR_APPLICATION_VERIFICATION);
     return 0;
}

CURLcode sslContextCallback(CURL*, SSL_CTX* sslCtx, void*) {
     SSL_CTX_set_verify(sslCtx, SSL_VERIFY_PEER, &sslVerifyCallback);
     return CURLE_OK;
}

curl_easy_setopt(curlHandle, CURLOPT_SSL_CTX_FUNCTION,
sslContextCallback);

I hope this will be useful to others.

Best regards
Georgi

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2016-01-25