Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Getting SSL certificate info on a reused connection
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Stefan Eissing via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 8 Jul 2024 15:08:05 +0200
Hi,
> Am 08.07.2024 um 14:41 schrieb Jicea via curl-library <curl-library_at_lists.haxx.se>:
>
> Hi all,
>
> I would like to get SSL certificate information by using CURLINFO_CERTINFO.
>
> On a simple configuration (classic libcurl sample), I can get the information I need on the SSL certs chain.
> If I'm doing a second call with the same curl handle and if the connection is reused, CURLINFO_CERTINFO doesn't provide any SSL certificate.
>
> Looking at the logs, I can see, for instance:
>
> ==================* Found bundle for host: 0x600003d80b40 [can multiplex]
> * Re-using existing connection with host google.com
> * [HTTP/2] [3] OPENED stream for https://google.com/
> * [HTTP/2] [3] [:method: GET]
> * [HTTP/2] [3] [:scheme: https]
> * [HTTP/2] [3] [:authority: google.com]
> * [HTTP/2] [3] [:path: /]
> * [HTTP/2] [3] [accept: */*]
>> GET / HTTP/2
>
> I've the impression that, as the connection is reused, and the SSL handshake doesn't occur the second time, CURLINFO_CERTINFO doesn't convey any certificates to look.
>
> Can somebody confirms this?
CERTINFO is only initialized on the easy handle that does the TLS handshake.
>
> What could I do to get these certificates information, regardless of the connection is reused or not? I'm thinking about keeping a "cache" of certificates info on the client side but I fear bad side effects (bug on my parts!)
> (or just a map of connection-id / certificates)
The question what is "best" depends on what you want to do with this information. You can get the ID of the connection that an easy handles uses via CURLINFO_CONN_ID. That is not globally unique, but unique for all easy handles using the same multi handle or Curl_share.
- Stefan
>
>
>
> My libcurl C sample:
>
> ```
> #include <stdio.h>
> #include <curl/curl.h>
>
> void print_cert(CURL* curl) {
> int i;
> struct curl_certinfo *ci;
> CURLcode res = curl_easy_getinfo(curl, CURLINFO_CERTINFO, &ci);
> if (res) {
> fprintf(stderr, "Error calling CURLINFO_CERTINFO");
> return;
> }
>
> fprintf(stderr, "%d certs!\n", ci->num_of_certs);
>
> for (i = 0; i < ci->num_of_certs; i++) {
> struct curl_slist *slist;
>
> for (slist = ci->certinfo[i]; slist; slist = slist->next)
> fprintf(stderr, "%s\n", slist->data);
> }
> }
>
> int main(void) {
> CURL *curl = curl_easy_init();
> if (!curl) {
> return 1;
> }
> CURLcode res;
> curl_easy_setopt(curl, CURLOPT_URL, "https://google.com");
>
> curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
> curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
> curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L);
> curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
>
> fprintf(stderr, "==================");
>
> res = curl_easy_perform(curl);
> if (!res) {
> print_cert(curl);
> }
>
> fprintf(stderr, "==================");
>
> res = curl_easy_perform(curl);
> if (!res) {
> print_cert(curl);
> }
>
> curl_easy_cleanup(curl);
> }
> ```
>
> This will make 2 GET requests to "https://googl.com"
>
> When executing:
>
> ```
> $ ./main 2>&1 >/dev/null | grep certs
> 3 certs!
> 0 certs!
> ```
>
> Thanks a lot!
>
>
>
>
>
>
>
>
> Orange Restricted
> ____________________________________________________________________________________________________________
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
> --
> Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
> Etiquette: https://curl.se/mail/etiquette.html
Date: Mon, 8 Jul 2024 15:08:05 +0200
Hi,
> Am 08.07.2024 um 14:41 schrieb Jicea via curl-library <curl-library_at_lists.haxx.se>:
>
> Hi all,
>
> I would like to get SSL certificate information by using CURLINFO_CERTINFO.
>
> On a simple configuration (classic libcurl sample), I can get the information I need on the SSL certs chain.
> If I'm doing a second call with the same curl handle and if the connection is reused, CURLINFO_CERTINFO doesn't provide any SSL certificate.
>
> Looking at the logs, I can see, for instance:
>
> ==================* Found bundle for host: 0x600003d80b40 [can multiplex]
> * Re-using existing connection with host google.com
> * [HTTP/2] [3] OPENED stream for https://google.com/
> * [HTTP/2] [3] [:method: GET]
> * [HTTP/2] [3] [:scheme: https]
> * [HTTP/2] [3] [:authority: google.com]
> * [HTTP/2] [3] [:path: /]
> * [HTTP/2] [3] [accept: */*]
>> GET / HTTP/2
>
> I've the impression that, as the connection is reused, and the SSL handshake doesn't occur the second time, CURLINFO_CERTINFO doesn't convey any certificates to look.
>
> Can somebody confirms this?
CERTINFO is only initialized on the easy handle that does the TLS handshake.
>
> What could I do to get these certificates information, regardless of the connection is reused or not? I'm thinking about keeping a "cache" of certificates info on the client side but I fear bad side effects (bug on my parts!)
> (or just a map of connection-id / certificates)
The question what is "best" depends on what you want to do with this information. You can get the ID of the connection that an easy handles uses via CURLINFO_CONN_ID. That is not globally unique, but unique for all easy handles using the same multi handle or Curl_share.
- Stefan
>
>
>
> My libcurl C sample:
>
> ```
> #include <stdio.h>
> #include <curl/curl.h>
>
> void print_cert(CURL* curl) {
> int i;
> struct curl_certinfo *ci;
> CURLcode res = curl_easy_getinfo(curl, CURLINFO_CERTINFO, &ci);
> if (res) {
> fprintf(stderr, "Error calling CURLINFO_CERTINFO");
> return;
> }
>
> fprintf(stderr, "%d certs!\n", ci->num_of_certs);
>
> for (i = 0; i < ci->num_of_certs; i++) {
> struct curl_slist *slist;
>
> for (slist = ci->certinfo[i]; slist; slist = slist->next)
> fprintf(stderr, "%s\n", slist->data);
> }
> }
>
> int main(void) {
> CURL *curl = curl_easy_init();
> if (!curl) {
> return 1;
> }
> CURLcode res;
> curl_easy_setopt(curl, CURLOPT_URL, "https://google.com");
>
> curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
> curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
> curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L);
> curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
>
> fprintf(stderr, "==================");
>
> res = curl_easy_perform(curl);
> if (!res) {
> print_cert(curl);
> }
>
> fprintf(stderr, "==================");
>
> res = curl_easy_perform(curl);
> if (!res) {
> print_cert(curl);
> }
>
> curl_easy_cleanup(curl);
> }
> ```
>
> This will make 2 GET requests to "https://googl.com"
>
> When executing:
>
> ```
> $ ./main 2>&1 >/dev/null | grep certs
> 3 certs!
> 0 certs!
> ```
>
> Thanks a lot!
>
>
>
>
>
>
>
>
> Orange Restricted
> ____________________________________________________________________________________________________________
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
> --
> Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
> Etiquette: https://curl.se/mail/etiquette.html
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-07-08