curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Fetching the detail of SSL Host verification failure

From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 25 Oct 2018 08:15:26 +0200 (CEST)

On Tue, 23 Oct 2018, Basuke Suzuki via curl-library wrote:

> We need to distinguish these four cases from CURLE_PEER_FAILED_VERIFICATION.
> So we want to fix this by extending the api. There are three options we can
> take and want to hear your opinion.

...

> 4) Use CURLINFO_SSL_VERIFYRESULT.
>
> Because OpenSSL returns no validation error, the field for this verify
> result is available in the situation. When verifyhost() fails, return code
> is unchanged from CURLE_PEER_FAILED_VERIFICATION and put newly defined error
> code into data->set.ssl. certverifyresult which is available by
> curl_easy_getinfo with CURLINFO_SSL_VERIFYRESULT. This doesn't break
> existing application.
>
> We are ready to send a PR for solution 4, but before sending this, we want
> to hear the voice of community.

This is the approach I personally prefer. Just make sure you document the
specific error codes and for what situations they are used, as detailed as
possible. This is the sort of thing that people soon might want for other SSL
backends as well and then we need detailed explanations to know how to
implement and use them there as well...

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2018-10-25