Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Getting SSL certificate info on a reused connection
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Jicea via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 8 Jul 2024 12:41:58 +0000
Hi all,
I would like to get SSL certificate information by using CURLINFO_CERTINFO.
On a simple configuration (classic libcurl sample), I can get the information I need on the SSL certs chain.
If I'm doing a second call with the same curl handle and if the connection is reused, CURLINFO_CERTINFO doesn't provide any SSL certificate.
Looking at the logs, I can see, for instance:
==================* Found bundle for host: 0x600003d80b40 [can multiplex]
* Re-using existing connection with host google.com
* [HTTP/2] [3] OPENED stream for https://google.com/
* [HTTP/2] [3] [:method: GET]
* [HTTP/2] [3] [:scheme: https]
* [HTTP/2] [3] [:authority: google.com]
* [HTTP/2] [3] [:path: /]
* [HTTP/2] [3] [accept: */*]
> GET / HTTP/2
I've the impression that, as the connection is reused, and the SSL handshake doesn't occur the second time, CURLINFO_CERTINFO doesn't convey any certificates to look.
Can somebody confirms this?
What could I do to get these certificates information, regardless of the connection is reused or not? I'm thinking about keeping a "cache" of certificates info on the client side but I fear bad side effects (bug on my parts!)
(or just a map of connection-id / certificates)
My libcurl C sample:
```
#include <stdio.h>
#include <curl/curl.h>
void print_cert(CURL* curl) {
int i;
struct curl_certinfo *ci;
CURLcode res = curl_easy_getinfo(curl, CURLINFO_CERTINFO, &ci);
if (res) {
fprintf(stderr, "Error calling CURLINFO_CERTINFO");
return;
}
fprintf(stderr, "%d certs!\n", ci->num_of_certs);
for (i = 0; i < ci->num_of_certs; i++) {
struct curl_slist *slist;
for (slist = ci->certinfo[i]; slist; slist = slist->next)
fprintf(stderr, "%s\n", slist->data);
}
}
int main(void) {
CURL *curl = curl_easy_init();
if (!curl) {
return 1;
}
CURLcode res;
curl_easy_setopt(curl, CURLOPT_URL, "https://google.com");
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L);
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
fprintf(stderr, "==================");
res = curl_easy_perform(curl);
if (!res) {
print_cert(curl);
}
fprintf(stderr, "==================");
res = curl_easy_perform(curl);
if (!res) {
print_cert(curl);
}
curl_easy_cleanup(curl);
}
```
This will make 2 GET requests to "https://googl.com"
When executing:
```
$ ./main 2>&1 >/dev/null | grep certs
3 certs!
0 certs!
```
Thanks a lot!
Orange Restricted
____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
Date: Mon, 8 Jul 2024 12:41:58 +0000
Hi all,
I would like to get SSL certificate information by using CURLINFO_CERTINFO.
On a simple configuration (classic libcurl sample), I can get the information I need on the SSL certs chain.
If I'm doing a second call with the same curl handle and if the connection is reused, CURLINFO_CERTINFO doesn't provide any SSL certificate.
Looking at the logs, I can see, for instance:
==================* Found bundle for host: 0x600003d80b40 [can multiplex]
* Re-using existing connection with host google.com
* [HTTP/2] [3] OPENED stream for https://google.com/
* [HTTP/2] [3] [:method: GET]
* [HTTP/2] [3] [:scheme: https]
* [HTTP/2] [3] [:authority: google.com]
* [HTTP/2] [3] [:path: /]
* [HTTP/2] [3] [accept: */*]
> GET / HTTP/2
I've the impression that, as the connection is reused, and the SSL handshake doesn't occur the second time, CURLINFO_CERTINFO doesn't convey any certificates to look.
Can somebody confirms this?
What could I do to get these certificates information, regardless of the connection is reused or not? I'm thinking about keeping a "cache" of certificates info on the client side but I fear bad side effects (bug on my parts!)
(or just a map of connection-id / certificates)
My libcurl C sample:
```
#include <stdio.h>
#include <curl/curl.h>
void print_cert(CURL* curl) {
int i;
struct curl_certinfo *ci;
CURLcode res = curl_easy_getinfo(curl, CURLINFO_CERTINFO, &ci);
if (res) {
fprintf(stderr, "Error calling CURLINFO_CERTINFO");
return;
}
fprintf(stderr, "%d certs!\n", ci->num_of_certs);
for (i = 0; i < ci->num_of_certs; i++) {
struct curl_slist *slist;
for (slist = ci->certinfo[i]; slist; slist = slist->next)
fprintf(stderr, "%s\n", slist->data);
}
}
int main(void) {
CURL *curl = curl_easy_init();
if (!curl) {
return 1;
}
CURLcode res;
curl_easy_setopt(curl, CURLOPT_URL, "https://google.com");
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L);
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
fprintf(stderr, "==================");
res = curl_easy_perform(curl);
if (!res) {
print_cert(curl);
}
fprintf(stderr, "==================");
res = curl_easy_perform(curl);
if (!res) {
print_cert(curl);
}
curl_easy_cleanup(curl);
}
```
This will make 2 GET requests to "https://googl.com"
When executing:
```
$ ./main 2>&1 >/dev/null | grep certs
3 certs!
0 certs!
```
Thanks a lot!
Orange Restricted
____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-07-08