cURL
Haxx ad
libcurl
Mailing Lists

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[ curl-Feature Requests-3569642 ] Pinning SSL certificates / check SSL fingerprints

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Thu, 20 Sep 2012 13:38:34 -0700

Feature Requests item #3569642, was opened at 2012-09-19 13:37
Message generated for change (Comment added) made by dfandrich
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=350976&aid=3569642&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: encryption
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: adrelanos (adrelanos)
Assigned to: Daniel Stenberg (bagder)
Summary: Pinning SSL certificates / check SSL fingerprints

Initial Comment:
Because SSL CA's have failed many times (Comodo, DigiNotar, ...) I wish to have
an option to pin a SSL certificate. The fingerprint may be optionally provided
through a new option.

Something like:

curl --tlsv1 --serial-number xx:yy:zz --fingerprint xxyyzz https://site.com?

----------------------------------------------------------------------

>Comment By: Dan Fandrich (dfandrich)
Date: 2012-09-20 13:38

Message:
I haven't played with this much, but passing the certificate in with
--cacert seemed to work for me on an OpenSSL-based curl.

----------------------------------------------------------------------

Comment By: adrelanos (adrelanos)
Date: 2012-09-19 14:56

Message:
curl ---cacert pins the certificate authority, not the certificate.

You can not easily use the certificate locally. That would require a new
feature, which I am requesting here.

You can also not easily run a local certificate authority. This is because
you can not easily sign a certificate, if you do not have a certificate
signing request.
"OpenSSL users mailing list: Sign public key without having CSR or private
key?"
http://www.mail-archive.com/openssl-users@openssl.org/msg67968.html
http://www.mail-archive.com/openssl-users@openssl.org/msg67962.html

----------------------------------------------------------------------

Comment By: Dan Fandrich (dfandrich)
Date: 2012-09-19 13:43

Message:
Does this really buy you anything you wouldn't get by storing a copy of the
certificate on the local machine and passing that in?

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2012-09-19 13:40

Message:
A great idea!

Feel free to join us on the curl-library list and help us write code to
make this feature a reality!

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=350976&aid=3569642&group_id=976
Received on 2012-09-20

These mail archives are generated by hypermail.

donate! Page updated January 05, 2012.
web site info

File upload with ASP.NET