Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Feature request/discussion: Callback for Client Certificate selection
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Ihor Dutchak via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 20 Feb 2025 00:40:31 +0200
It is hard for me to reason what is common when it comes to client
certificate usage in the scope of SSL/TLS, but some points from my
experience below.
When a developer makes an application for a specific web server -
there is a high chance it may choose a specific client certificate in
advance.
But an admin - he did choose a certificate, and installed it into a
TPM module which is now only available from a LOCAL_MACHINE storage,
and me as a developer - has to use it from that scope.
And, as a developer of the application - I don't know the certificate
name in advance, since it (the application) is intended to be used on
different devices that will access different remote web servers, and
only specific devices (with specific device certificates installed)
are allowed to access specific web servers (which advertise allowed
CAs of those certificates).
As for selecting from multiple certificates - one use-case I've faced
is when there are two similar certificates installed, but one of them
is expired/about-to-be-expired or revoked (and client/device doesn't
know about the revocation), and another one is newly issued/installed.
And secondly, for some reason, both Chromium (and alike) and Firefox
browsers (maybe others, I didn't check) are showing a UI prompt for
the user to select a certificate to use manually (or discard/use none,
which might be a valid option sometime) by default (even if there is
only one matching certificate available), which is the first thing you
see when you are trying to open a web page which has mTLS enabled, so
that looks if not common, then at least a default.
>> But:
>> 1) It doesn't work if the certificate is installed in LOCAL_MACHINE storage;
>> 2) It doesn't allow manually selecting which certificate to use (e.g.
>> if there are more than one available).
>
>
> Are either of those a common thing to do? Couldn't an admin, developer or user select the certificate usually?
Date: Thu, 20 Feb 2025 00:40:31 +0200
It is hard for me to reason what is common when it comes to client
certificate usage in the scope of SSL/TLS, but some points from my
experience below.
When a developer makes an application for a specific web server -
there is a high chance it may choose a specific client certificate in
advance.
But an admin - he did choose a certificate, and installed it into a
TPM module which is now only available from a LOCAL_MACHINE storage,
and me as a developer - has to use it from that scope.
And, as a developer of the application - I don't know the certificate
name in advance, since it (the application) is intended to be used on
different devices that will access different remote web servers, and
only specific devices (with specific device certificates installed)
are allowed to access specific web servers (which advertise allowed
CAs of those certificates).
As for selecting from multiple certificates - one use-case I've faced
is when there are two similar certificates installed, but one of them
is expired/about-to-be-expired or revoked (and client/device doesn't
know about the revocation), and another one is newly issued/installed.
And secondly, for some reason, both Chromium (and alike) and Firefox
browsers (maybe others, I didn't check) are showing a UI prompt for
the user to select a certificate to use manually (or discard/use none,
which might be a valid option sometime) by default (even if there is
only one matching certificate available), which is the first thing you
see when you are trying to open a web page which has mTLS enabled, so
that looks if not common, then at least a default.
>> But:
>> 1) It doesn't work if the certificate is installed in LOCAL_MACHINE storage;
>> 2) It doesn't allow manually selecting which certificate to use (e.g.
>> if there are more than one available).
>
>
> Are either of those a common thing to do? Couldn't an admin, developer or user select the certificate usually?
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-02-19