Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Feature request/discussion: Callback for Client Certificate selection
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Ihor Dutchak via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 19 Feb 2025 18:21:18 +0200
As per scenarios when mTLS is used (e.g. server requires client
certificate to be specified), as part of TLS protocol server may send
(often does) a list of certificate authorities (Chromium
implementation calls it SSLCertRequestInfo), and only corresponding
client certificates are to be accepted by the server.
Having that list allows to search for a required certificate in a
certificate store (maybe in a hardware one) or even ask user to
specify one manually with the UI (this is what many browsers, e.g.
Chromium does).
Current version of curl/libcurl (8.12.1) doesn't provide a
functionality to retrieve the list of CAs specified by the server.
When OpenSSL backend is used - there is one workaround: inside of the
SSL Context callback (CURLOPT_SSL_CTX_FUNCTION) set the SSL info
callback (SSL_CTX_set_info_callback) and wait for
SSL_CB_HANDSHAKE_DONE at which point SSL_get_client_CA_list will
return a list of CAs specified by the server (in case if server did
specify one).
After that one my find corresponding client certificate and set it to
use, and the request has to be re-started, since certificate cannot be
set after the SSL/TLS connection has started.
Other backends doesn't seem to allow such even as a workaround.
E.g. for schannel backend, there is SECPKG_ATTR_CLIENT_CERT_POLICY
context attribute that may be used to retrieve a list of client CAs
specified by the server.
I haven't checked other backends, but I believe similar
functionality/API should be present, as it is part of TLS protocol.
As for curl/libcurl: would be great to have a callback function where
the list of CAs specified by the server during the initial TLS
handshake is provided, and a way to set selected client certifiacate
from the context of that callback (or, maybe, in some other way).
I totally understand this is a big chunk of work, but I failed to find
any information about it which is specific to curl, so starting this
conversation with a summary of my findings.
Date: Wed, 19 Feb 2025 18:21:18 +0200
As per scenarios when mTLS is used (e.g. server requires client
certificate to be specified), as part of TLS protocol server may send
(often does) a list of certificate authorities (Chromium
implementation calls it SSLCertRequestInfo), and only corresponding
client certificates are to be accepted by the server.
Having that list allows to search for a required certificate in a
certificate store (maybe in a hardware one) or even ask user to
specify one manually with the UI (this is what many browsers, e.g.
Chromium does).
Current version of curl/libcurl (8.12.1) doesn't provide a
functionality to retrieve the list of CAs specified by the server.
When OpenSSL backend is used - there is one workaround: inside of the
SSL Context callback (CURLOPT_SSL_CTX_FUNCTION) set the SSL info
callback (SSL_CTX_set_info_callback) and wait for
SSL_CB_HANDSHAKE_DONE at which point SSL_get_client_CA_list will
return a list of CAs specified by the server (in case if server did
specify one).
After that one my find corresponding client certificate and set it to
use, and the request has to be re-started, since certificate cannot be
set after the SSL/TLS connection has started.
Other backends doesn't seem to allow such even as a workaround.
E.g. for schannel backend, there is SECPKG_ATTR_CLIENT_CERT_POLICY
context attribute that may be used to retrieve a list of client CAs
specified by the server.
I haven't checked other backends, but I believe similar
functionality/API should be present, as it is part of TLS protocol.
As for curl/libcurl: would be great to have a callback function where
the list of CAs specified by the server during the initial TLS
handshake is provided, and a way to set selected client certifiacate
from the context of that callback (or, maybe, in some other way).
I totally understand this is a big chunk of work, but I failed to find
any information about it which is specific to curl, so starting this
conversation with a summary of my findings.
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-02-19