curl / Mailing Lists / curl-library / Single Mail


Re: Override libcurl's server cert validation (WINSSL)

From: Ribhi Kamal <>
Date: Mon, 7 Nov 2016 09:44:20 -0500

To be honest, I love how libcurl integrated with WinSSL directly so I
wouldn't have to compile and use openssl on Windows. This keeps the
development dependencies to a minimum. So I'm going to give it updating
libcurl a shot, but I suspect there will be a steep learning curve before
it is implemented and working correctly. So don't hold your breath.

Thanks for the pointers guys. I'll keep you posted.

-- Ribhi

On Fri, Nov 4, 2016 at 6:46 PM, Ray Satiro via curl-library <> wrote:

> On 11/4/2016 5:17 PM, Ribhi Kamal wrote:
>> I'm trying to find a way to enable me to tell libcurl "Hey, I know this
>> FTPS server is using a bad certificate, but its OK! I recognize its public
>> key, so please go ahead and connect to it." In other words, I would like to
>> have a say when libcurl is validating a certificate without turning off
>> certificate validation completely. See example below.
>> My main motivation is that I'm writing a windows program that downloads
>> files from an FTPS server and I don't want to modify the machines
>> certificate stores so that the server's cert is trusted. Does libcurl have
>> a callback or an option that allows to specify my own custom server cert
>> validation?
> Unfortunately there's no way to do this currently with WinSSL. In some
> limited cases there's CURLINFO_TLS_SSL_PTR but it wasn't really designed
> for that, refer to the LIMITATIONS section [1]. As you can see there's no
> way for FTPS connections to be properly manually verified with libcurl and
> WinSSL. You can add your use case to the feature request 'Add a user
> callback for SSL connections' [2], but unless there's enough support the
> issue is unlikely to be revisited.
> In the meantime if you are looking to contribute there are two other ways
> this could happen more immediately. CURLOPT_CAINFO [3] could be expanded
> to work for WinSSL and so could CURLOPT_PINNEDPUBLICKEY [4]. The former
> would allow you to specify certificates to be used for verification and the
> latter would allow you to specify public keys to be used for verification.
> If none of that works for you then you'll have to consider using a
> different SSL backend.
> [1]:
> [2]:
> [3]:
> [4]:
> -------------------------------------------------------------------
> List admin:
> Etiquette:

List admin:
Received on 2016-11-07