curl / Mailing Lists / curl-library / Single Mail


Re: Override libcurl's server cert validation (WINSSL)

From: Ray Satiro via curl-library <>
Date: Fri, 4 Nov 2016 18:46:15 -0400

On 11/4/2016 5:17 PM, Ribhi Kamal wrote:
> I'm trying to find a way to enable me to tell libcurl "Hey, I know
> this FTPS server is using a bad certificate, but its OK! I recognize
> its public key, so please go ahead and connect to it." In other words,
> I would like to have a say when libcurl is validating a certificate
> without turning off certificate validation completely. See example below.
> My main motivation is that I'm writing a windows program that
> downloads files from an FTPS server and I don't want to modify the
> machines certificate stores so that the server's cert is trusted. Does
> libcurl have a callback or an option that allows to specify my own
> custom server cert validation?

Unfortunately there's no way to do this currently with WinSSL. In some
limited cases there's CURLINFO_TLS_SSL_PTR but it wasn't really designed
for that, refer to the LIMITATIONS section [1]. As you can see there's
no way for FTPS connections to be properly manually verified with
libcurl and WinSSL. You can add your use case to the feature request
'Add a user callback for SSL connections' [2], but unless there's enough
support the issue is unlikely to be revisited.

In the meantime if you are looking to contribute there are two other
ways this could happen more immediately. CURLOPT_CAINFO [3] could be
expanded to work for WinSSL and so could CURLOPT_PINNEDPUBLICKEY [4].
The former would allow you to specify certificates to be used for
verification and the latter would allow you to specify public keys to be
used for verification.

If none of that works for you then you'll have to consider using a
different SSL backend.


List admin:
Received on 2016-11-04