Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Version numbers curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Override libcurl's server cert validation (WINSSL)

From: Ribhi Kamal <rbhkamal_at_gmail.com>
Date: Mon, 7 Nov 2016 09:44:20 -0500

To be honest, I love how libcurl integrated with WinSSL directly so I
wouldn't have to compile and use openssl on Windows. This keeps the
development dependencies to a minimum. So I'm going to give it updating
libcurl a shot, but I suspect there will be a steep learning curve before
it is implemented and working correctly. So don't hold your breath.

Thanks for the pointers guys. I'll keep you posted.

-- Ribhi

On Fri, Nov 4, 2016 at 6:46 PM, Ray Satiro via curl-library <
curl-library_at_cool.haxx.se> wrote:

> On 11/4/2016 5:17 PM, Ribhi Kamal wrote:
>
>> I'm trying to find a way to enable me to tell libcurl "Hey, I know this
>> FTPS server is using a bad certificate, but its OK! I recognize its public
>> key, so please go ahead and connect to it." In other words, I would like to
>> have a say when libcurl is validating a certificate without turning off
>> certificate validation completely. See example below.
>>
>> My main motivation is that I'm writing a windows program that downloads
>> files from an FTPS server and I don't want to modify the machines
>> certificate stores so that the server's cert is trusted. Does libcurl have
>> a callback or an option that allows to specify my own custom server cert
>> validation?
>>
>>
> Unfortunately there's no way to do this currently with WinSSL. In some
> limited cases there's CURLINFO_TLS_SSL_PTR but it wasn't really designed
> for that, refer to the LIMITATIONS section [1]. As you can see there's no
> way for FTPS connections to be properly manually verified with libcurl and
> WinSSL. You can add your use case to the feature request 'Add a user
> callback for SSL connections' [2], but unless there's enough support the
> issue is unlikely to be revisited.
>
> In the meantime if you are looking to contribute there are two other ways
> this could happen more immediately. CURLOPT_CAINFO [3] could be expanded
> to work for WinSSL and so could CURLOPT_PINNEDPUBLICKEY [4]. The former
> would allow you to specify certificates to be used for verification and the
> latter would allow you to specify public keys to be used for verification.
>
> If none of that works for you then you'll have to consider using a
> different SSL backend.
>
>
> [1]: https://curl.haxx.se/libcurl/c/CURLINFO_TLS_SSL_PTR.html#LIMITATIONS
> [2]: https://github.com/curl/curl/issues/685
> [3]: https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html
> [4]: https://curl.haxx.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html
>
>
> -------------------------------------------------------------------
> List admin: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html
>

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-07