cURL / Mailing Lists / curl-library / Single Mail


Re: libcurl, CACs, and SSL/TLS

From: Ray Satiro via curl-library <>
Date: Wed, 4 May 2016 19:10:34 -0400

On 5/4/2016 5:20 PM, Mckinney, Lee wrote:
> We have the following use case:
> 1. via libcurl, attempt SSL/TLS connection to a CAC-protected
> (PKI-enabled) server.
> 2. Receive server PKI challenge, asking for an appropriate certificate
> (likely X.509).
> 3. via libcurl (or libcurl + openSSL?), present the user with a list a
> certificates available on
> his/her CAC (smartcard). The card must be in the reader.
> 4. User selects certificate.
> 5. User receives a PIN challenge for the selected certificate.
> 6. Proper PIN is submitted.
> 7. The certificate response is sent to the server.
> 7. The TLS connection started in step #1 completes.
> How do we build/configure libcurl (and openSSL?) to achieve this?
> If this capability is via API (not build or configuration), which
> members of the libcurl API
> are relevant?
> Our starting line:
> res=CURLE_OK;
> curl_easy_setopt(curl,CURLOPT_URL,"<an-https-url>"
> curl_easy_setopt(curl,CURLOPT_VERBOSE,1);
> res=curl_easy_perform(curl);

I think this is the same question you asked several months ago [1]? If
you are not aware there was a reply at [2]. According to Petr this seems
unsupported at the moment in OpenSSL. There's a new release of OpenSSL
coming very soon, you may want to ask their list if it's possible to do
what you are trying to do. If it is possible in OpenSSL but not in
libcurl you could propose a set of changes for discussion. It looks like
someone was able to modify schannel in libcurl (WinSSL) to do something
similar [3], but I can't find those changes ever made it in. I wrote the
author to find out.


List admin:
Received on 2016-05-05