Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: CURLINFO_CERTINFO and TLS certificate chain availability
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: dogma via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 24 Dec 2025 16:49:32 +0000
> From: Ray Satiro
> On 12/23/2025 6:53 PM, dogma via curl-library wrote:
> > Does CURLINFO_CERTINFO always provide the chain of certificates if it
> > happens to be exposed by the backend, or is it more haphazard than that?
> >
> > If a transfer fails, I print the chain if it?s provided, but for example
> > I just had one that failed because the certificate has expired. No
> > chain. This is with OpenSSL.
>
>
> I think historically it wasn't provided unless the transfer was
> successful, the backend supported it and CURLOPT_CERTINFO [1] was
> enabled for the transfer. However I just tested curl master branch [2]
> with OpenSSL and retrieving CERTINFO worked for a failed transfer. I
> tested against a URL (https://cdn.gigya.com) that serves a certificate
> with no matching hostname ("no alternative certificate subject name
> matches") so the transfer fails. I tested against some other URLs with
> different types of cert problems as well as expired certificates and I
> still got certinfo.
Yes, I do get certinfo for that "no alternative certificate subject name matches" site as well.
Date: Wed, 24 Dec 2025 16:49:32 +0000
> From: Ray Satiro
> On 12/23/2025 6:53 PM, dogma via curl-library wrote:
> > Does CURLINFO_CERTINFO always provide the chain of certificates if it
> > happens to be exposed by the backend, or is it more haphazard than that?
> >
> > If a transfer fails, I print the chain if it?s provided, but for example
> > I just had one that failed because the certificate has expired. No
> > chain. This is with OpenSSL.
>
>
> I think historically it wasn't provided unless the transfer was
> successful, the backend supported it and CURLOPT_CERTINFO [1] was
> enabled for the transfer. However I just tested curl master branch [2]
> with OpenSSL and retrieving CERTINFO worked for a failed transfer. I
> tested against a URL (https://cdn.gigya.com) that serves a certificate
> with no matching hostname ("no alternative certificate subject name
> matches") so the transfer fails. I tested against some other URLs with
> different types of cert problems as well as expired certificates and I
> still got certinfo.
Yes, I do get certinfo for that "no alternative certificate subject name matches" site as well.
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-12-24