curl-library
Re: Override libcurl's server cert validation (WINSSL)
Date: Mon, 7 Nov 2016 09:44:20 -0500
To be honest, I love how libcurl integrated with WinSSL directly so I
wouldn't have to compile and use openssl on Windows. This keeps the
development dependencies to a minimum. So I'm going to give it updating
libcurl a shot, but I suspect there will be a steep learning curve before
it is implemented and working correctly. So don't hold your breath.
Thanks for the pointers guys. I'll keep you posted.
-- Ribhi
On Fri, Nov 4, 2016 at 6:46 PM, Ray Satiro via curl-library <
curl-library_at_cool.haxx.se> wrote:
> On 11/4/2016 5:17 PM, Ribhi Kamal wrote:
>
>> I'm trying to find a way to enable me to tell libcurl "Hey, I know this
>> FTPS server is using a bad certificate, but its OK! I recognize its public
>> key, so please go ahead and connect to it." In other words, I would like to
>> have a say when libcurl is validating a certificate without turning off
>> certificate validation completely. See example below.
>>
>> My main motivation is that I'm writing a windows program that downloads
>> files from an FTPS server and I don't want to modify the machines
>> certificate stores so that the server's cert is trusted. Does libcurl have
>> a callback or an option that allows to specify my own custom server cert
>> validation?
>>
>>
> Unfortunately there's no way to do this currently with WinSSL. In some
> limited cases there's CURLINFO_TLS_SSL_PTR but it wasn't really designed
> for that, refer to the LIMITATIONS section [1]. As you can see there's no
> way for FTPS connections to be properly manually verified with libcurl and
> WinSSL. You can add your use case to the feature request 'Add a user
> callback for SSL connections' [2], but unless there's enough support the
> issue is unlikely to be revisited.
>
> In the meantime if you are looking to contribute there are two other ways
> this could happen more immediately. CURLOPT_CAINFO [3] could be expanded
> to work for WinSSL and so could CURLOPT_PINNEDPUBLICKEY [4]. The former
> would allow you to specify certificates to be used for verification and the
> latter would allow you to specify public keys to be used for verification.
>
> If none of that works for you then you'll have to consider using a
> different SSL backend.
>
>
> [1]: https://curl.haxx.se/libcurl/c/CURLINFO_TLS_SSL_PTR.html#LIMITATIONS
> [2]: https://github.com/curl/curl/issues/685
> [3]: https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html
> [4]: https://curl.haxx.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html
>
>
> -------------------------------------------------------------------
> List admin: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html
>
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-07