curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Disabling Server's Issue Date Validation with libcurl

From: Abhi Arora via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 9 Jan 2020 15:05:10 +0530

I am trying to disable Server's Certificate Issue Date Validation in Curl.
For that, I have registered a "own_verify_callback" by calling
"SSL_CTX_set_verify" in "sslContextVerify" function
("curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslContextVerify);").

The "own_verify_callback" gets called and it returns 1 but still curl
connection fails. I have set the system date and time to 1990.

The code is below. Please help! I am struck with it.

*static int own_verify_callback(int preverify, X509_STORE_CTX* x509_ctx){
/* For error codes, see http://www.openssl.org/docs/apps/verify.html
<http://www.openssl.org/docs/apps/verify.html> */ int err =
X509_STORE_CTX_get_error(x509_ctx); // if (preverify) // return
preverify; logger::Logger::error(std::string("--CURL: Error = ") +
std::to_string(err)); if(err == X509_V_ERR_CERT_NOT_YET_VALID)
logger::Logger::error("--CURL: Error = X509_V_ERR_CERT_NOT_YET_VALID"); if
((err == X509_V_OK) or (err == X509_V_ERR_CERT_NOT_YET_VALID)) return
1; return 1;}static CURLcode sslContextVerify(CURL* curl, void* ssl_ctx,
void* user_ptr) { (void) curl; /* avoid warnings */ int ret; ret =
SSL_CTX_use_certificate((SSL_CTX*) ssl_ctx, ((CertStore*)
user_ptr)->getCert()); if (ret != 1) { logger::Logger::error("PKI
Authentication: Set Certificate context failed."); return
CURLE_SSL_CERTPROBLEM; } //ret = SSL_CTX_use_RSAPrivateKey((SSL_CTX*)
ssl_ctx, ((CertStore*) user_ptr)->getKey()); EVP_PKEY *k; k =
EVP_PKEY_new(); if (!k){ return CURLE_SSL_CERTPROBLEM; }
EVP_PKEY_set1_EC_KEY(k, ((CertStore*) user_ptr)->getKey()); ret =
SSL_CTX_use_PrivateKey((SSL_CTX*) ssl_ctx, k); EVP_PKEY_free(k); if (ret
!= 1) { logger::Logger::error("PKI Authentication: Set Key context
failed."); return CURLE_SSL_CERTPROBLEM; } SSL_CTX_set_verify((SSL_CTX
*)ssl_ctx, SSL_VERIFY_PEER, own_verify_callback); /* all set to go */
return CURLE_OK;}std::map<std::string, std::string>
PkiAuthenticator::authenticate() { logger::Logger::info("Authenticating
with PKI..."); std::ostringstream request_url_str_stream;
request_url_str_stream << this->auth_endpoint; if
(this->auth_endpoint.find_last_of('/') != this->auth_endpoint.size() - 1)
{ request_url_str_stream << '/'; } request_url_str_stream <<
PkiAuthenticator::ENDPOINT_PATH; request_url_str_stream <<
this->system_type; std::string request_url(request_url_str_stream.str());
CURL* curl = curl_easy_init(); curl_easy_setopt(curl, CURLOPT_URL,
request_url.c_str()); curl_easy_setopt(curl, CURLOPT_HTTPGET, true);
curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true);
curl_easy_setopt(curl, CURLOPT_FRESH_CONNECT, true);
curl_easy_setopt(curl, CURLOPT_TIMEOUT_MS, 30000L); curl_easy_setopt(curl,
CURLOPT_VERBOSE, false); curl_easy_setopt(curl, CURLOPT_CAPATH,
"/etc/ssl/certs/ca-bundle.pem"); curl_easy_setopt(curl, CURLOPT_CAINFO ,
"/etc/ssl/certs/ca-bundle.pem"); curl_easy_setopt(curl,
CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); /*curl_easy_setopt(curl,
CURLOPT_SSL_CIPHER_LIST, "ECDHE-ECDSA-AES128-GCM-SHA256,"
                                "ECDHE-ECDSA-AES128-CBC-SHA256,"
                                      "ECDHE-ECDSA-AES256-GCM-SHA384,"

"ECDHE-ECDSA-AES256-CBC-SHA384,"
      "ECDHE-RSA-AES256-GCM-SHA384,"
          "ECDHE-RSA-AES128-GCM-SHA256,"
              "ECDHE-RSA-AES256-CBC-SHA384,"
                  "ECDHE-RSA-AES128-CBC-SHA256");*/curl_easy_setopt(curl,
CURLOPT_SSL_CIPHER_LIST, "ECDHE-ECDSA-AES128-GCM-SHA256,"
                                "ECDHE-ECDSA-AES128-CBC-SHA256,"
                                      "ECDHE-ECDSA-AES256-GCM-SHA384,"

"ECDHE-ECDSA-AES256-CBC-SHA384"); assert(curl != NULL);
utility::MemoryBuffer response_buffer(0); curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION, &memoryBufferWrite); curl_easy_setopt(curl,
CURLOPT_WRITEDATA, &response_buffer); utility::MemoryBuffer
header_buffer(0); curl_easy_setopt(curl, CURLOPT_HEADERDATA,
&header_buffer); curl_easy_setopt(curl, CURLOPT_HEADERFUNCTION,
&memoryBufferWrite); char error_buffer[CURL_ERROR_SIZE];
curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, error_buffer); error_buffer[0]
= 0; // Set as empty string curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA,
this->cert_store); CURLcode ret = curl_easy_setopt(curl,
CURLOPT_SSL_CTX_FUNCTION, sslContextVerify); if (ret ==
CURLE_NOT_BUILT_IN) { logger::Logger::error("SSL context function not
built in. Cannot perform PKI with this OpenSSL-CURL build."); throw
std::runtime_error("SSL context function not built in. Cannot perform PKI
with this OpenSSL-CURL build."); } CURLcode curl_return_code;
curl_return_code = curl_easy_perform(curl); if (curl_return_code !=
CURLE_OK) { std::ostringstream error_msg; error_msg << "--CURL Error:
"; error_msg << error_buffer; if (errno) { error_msg << ": " <<
strerror(errno); } curl_easy_cleanup(curl);
logger::Logger::error(error_msg.str()); throw
std::runtime_error(error_msg.str()); }}*

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-01-09