Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: CURLINFO_CERTINFO and TLS certificate chain availability
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Ray Satiro via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 24 Dec 2025 03:55:55 -0500
On 12/23/2025 6:53 PM, dogma via curl-library wrote:
> Does CURLINFO_CERTINFO always provide the chain of certificates if it
> happens to be exposed by the backend, or is it more haphazard than that?
>
> If a transfer fails, I print the chain if it’s provided, but for example
> I just had one that failed because the certificate has expired. No
> chain. This is with OpenSSL.
I think historically it wasn't provided unless the transfer was
successful, the backend supported it and CURLOPT_CERTINFO [1] was
enabled for the transfer. However I just tested curl master branch [2]
with OpenSSL and retrieving CERTINFO worked for a failed transfer. I
tested against a URL (https://cdn.gigya.com) that serves a certificate
with no matching hostname ("no alternative certificate subject name
matches") so the transfer fails. I tested against some other URLs with
different types of cert problems as well as expired certificates and I
still got certinfo.
curl 8.18.0-DEV (i386-pc-win32) libcurl/8.18.0-DEV OpenSSL/3.0.8
nghttp2/1.52.0 WinLDAP
// from certinfo.c example, show certinfo
union {
struct curl_slist *to_info;
struct curl_certinfo *to_certinfo;
} ptr;
ptr.to_info = NULL;
if(!curl_easy_getinfo(curl, CURLINFO_CERTINFO, &ptr.to_info) &&
ptr.to_info) {
int i;
printf("%d certs!\n", ptr.to_certinfo->num_of_certs);
for(i = 0; i < ptr.to_certinfo->num_of_certs; i++) {
struct curl_slist *slist;
for(slist = ptr.to_certinfo->certinfo[i]; slist; slist = slist->next)
printf("%s\n", slist->data);
}
}
[1]: https://curl.se/libcurl/c/CURLOPT_CERTINFO.html
[2]: https://github.com/curl/curl
Date: Wed, 24 Dec 2025 03:55:55 -0500
On 12/23/2025 6:53 PM, dogma via curl-library wrote:
> Does CURLINFO_CERTINFO always provide the chain of certificates if it
> happens to be exposed by the backend, or is it more haphazard than that?
>
> If a transfer fails, I print the chain if it’s provided, but for example
> I just had one that failed because the certificate has expired. No
> chain. This is with OpenSSL.
I think historically it wasn't provided unless the transfer was
successful, the backend supported it and CURLOPT_CERTINFO [1] was
enabled for the transfer. However I just tested curl master branch [2]
with OpenSSL and retrieving CERTINFO worked for a failed transfer. I
tested against a URL (https://cdn.gigya.com) that serves a certificate
with no matching hostname ("no alternative certificate subject name
matches") so the transfer fails. I tested against some other URLs with
different types of cert problems as well as expired certificates and I
still got certinfo.
curl 8.18.0-DEV (i386-pc-win32) libcurl/8.18.0-DEV OpenSSL/3.0.8
nghttp2/1.52.0 WinLDAP
// from certinfo.c example, show certinfo
union {
struct curl_slist *to_info;
struct curl_certinfo *to_certinfo;
} ptr;
ptr.to_info = NULL;
if(!curl_easy_getinfo(curl, CURLINFO_CERTINFO, &ptr.to_info) &&
ptr.to_info) {
int i;
printf("%d certs!\n", ptr.to_certinfo->num_of_certs);
for(i = 0; i < ptr.to_certinfo->num_of_certs; i++) {
struct curl_slist *slist;
for(slist = ptr.to_certinfo->certinfo[i]; slist; slist = slist->next)
printf("%s\n", slist->data);
}
}
[1]: https://curl.se/libcurl/c/CURLOPT_CERTINFO.html
[2]: https://github.com/curl/curl
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-12-24