Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Feature request/discussion: Callback for Client Certificate selection
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Ray Satiro via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 19 Feb 2025 15:33:08 -0500
On 2/19/2025 11:21 AM, Ihor Dutchak via curl-library wrote:
> As per scenarios when mTLS is used (e.g. server requires client
> certificate to be specified), as part of TLS protocol server may send
> (often does) a list of certificate authorities (Chromium
> implementation calls it SSLCertRequestInfo), and only corresponding
> client certificates are to be accepted by the server.
>
> Having that list allows to search for a required certificate in a
> certificate store (maybe in a hardware one) or even ask user to
> specify one manually with the UI (this is what many browsers, e.g.
> Chromium does).
>
> Current version of curl/libcurl (8.12.1) doesn't provide a
> functionality to retrieve the list of CAs specified by the server.
>
> When OpenSSL backend is used - there is one workaround: inside of the
> SSL Context callback (CURLOPT_SSL_CTX_FUNCTION) set the SSL info
> callback (SSL_CTX_set_info_callback) and wait for
> SSL_CB_HANDSHAKE_DONE at which point SSL_get_client_CA_list will
> return a list of CAs specified by the server (in case if server did
> specify one).
> After that one my find corresponding client certificate and set it to
> use, and the request has to be re-started, since certificate cannot be
> set after the SSL/TLS connection has started.
>
> Other backends doesn't seem to allow such even as a workaround.
>
> E.g. for schannel backend, there is SECPKG_ATTR_CLIENT_CERT_POLICY
> context attribute that may be used to retrieve a list of client CAs
> specified by the server.
Does the option to auto select a client certificate with Schannel work
for your case?
curl: --ssl-auto-client-cert [1]
libcurl: CURLSSLOPT_AUTO_CLIENT_CERT [2]
[1]: https://curl.se/docs/manpage.html#--ssl-auto-client-cert
[2]:
https://curl.se/libcurl/c/CURLOPT_SSL_OPTIONS.html#CURLSSLOPTAUTOCLIENTCERT
Date: Wed, 19 Feb 2025 15:33:08 -0500
On 2/19/2025 11:21 AM, Ihor Dutchak via curl-library wrote:
> As per scenarios when mTLS is used (e.g. server requires client
> certificate to be specified), as part of TLS protocol server may send
> (often does) a list of certificate authorities (Chromium
> implementation calls it SSLCertRequestInfo), and only corresponding
> client certificates are to be accepted by the server.
>
> Having that list allows to search for a required certificate in a
> certificate store (maybe in a hardware one) or even ask user to
> specify one manually with the UI (this is what many browsers, e.g.
> Chromium does).
>
> Current version of curl/libcurl (8.12.1) doesn't provide a
> functionality to retrieve the list of CAs specified by the server.
>
> When OpenSSL backend is used - there is one workaround: inside of the
> SSL Context callback (CURLOPT_SSL_CTX_FUNCTION) set the SSL info
> callback (SSL_CTX_set_info_callback) and wait for
> SSL_CB_HANDSHAKE_DONE at which point SSL_get_client_CA_list will
> return a list of CAs specified by the server (in case if server did
> specify one).
> After that one my find corresponding client certificate and set it to
> use, and the request has to be re-started, since certificate cannot be
> set after the SSL/TLS connection has started.
>
> Other backends doesn't seem to allow such even as a workaround.
>
> E.g. for schannel backend, there is SECPKG_ATTR_CLIENT_CERT_POLICY
> context attribute that may be used to retrieve a list of client CAs
> specified by the server.
Does the option to auto select a client certificate with Schannel work
for your case?
curl: --ssl-auto-client-cert [1]
libcurl: CURLSSLOPT_AUTO_CLIENT_CERT [2]
[1]: https://curl.se/docs/manpage.html#--ssl-auto-client-cert
[2]:
https://curl.se/libcurl/c/CURLOPT_SSL_OPTIONS.html#CURLSSLOPTAUTOCLIENTCERT
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-02-19