cURL
Haxx ad
libcurl

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[ curl-Feature Requests-3569642 ] Pinning SSL certificates / check SSL fingerprints

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Sat, 22 Sep 2012 02:32:59 -0700

Feature Requests item #3569642, was opened at 2012-09-19 13:37
Message generated for change (Comment added) made by dfandrich
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=350976&aid=3569642&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: encryption
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: adrelanos (adrelanos)
Assigned to: Daniel Stenberg (bagder)
Summary: Pinning SSL certificates / check SSL fingerprints

Initial Comment:
Because SSL CA's have failed many times (Comodo, DigiNotar, ...) I wish to have
an option to pin a SSL certificate. The fingerprint may be optionally provided
through a new option.

Something like:

curl --tlsv1 --serial-number xx:yy:zz --fingerprint xxyyzz https://site.com?

----------------------------------------------------------------------

>Comment By: Dan Fandrich (dfandrich)
Date: 2012-09-22 02:32

Message:
Here's a self-contained script using stunnel that works for me (using
stunnel 4.53, OpenSSL 1.0.0d and curl 7.21.5 or git HEAD). The stunnel cert
is self-signed so curl fails without the --cacert (or -k) option.

#!/bin/bash -x
python /usr/lib/python2.7/SimpleHTTPServer.py &
PYPID=$!
stunnel /dev/stdin << EOF
debug=6
foreground=no
pid=/tmp/s$$.pid
[http]
client=no
cert=/etc/pki/tls/certs/stunnel.pem
key=/etc/pki/tls/private/stunnel.pem
connect=8000
accept=8443
EOF
sleep 1
curl -v --cacert /etc/pki/tls/certs/stunnel.pem https://$(hostname):8443/
kill $PYPID
kill $(< /tmp/s$$.pid)

----------------------------------------------------------------------

Comment By: adrelanos (adrelanos)
Date: 2012-09-20 14:50

Message:
As far I understand --cacert pins the SSL Certificate Authority. There is
no option to pin the SSL Certificate directly.

If I am wrong,
1. please try to download a SSL certificate from a website
2. get it into curl usable form
3. deactivate systems ca-certificates (rename /usr/share/ca-certificates
for testing)
4. use the --cacert option with the downloaded certificate

It didn't work for me. If it does for your, please document your steps.
It's nowhere documented. I've been looking for this for some weeks already.

----------------------------------------------------------------------

Comment By: Dan Fandrich (dfandrich)
Date: 2012-09-20 13:38

Message:
I haven't played with this much, but passing the certificate in with
--cacert seemed to work for me on an OpenSSL-based curl.

----------------------------------------------------------------------

Comment By: adrelanos (adrelanos)
Date: 2012-09-19 14:56

Message:
curl ---cacert pins the certificate authority, not the certificate.

You can not easily use the certificate locally. That would require a new
feature, which I am requesting here.

You can also not easily run a local certificate authority. This is because
you can not easily sign a certificate, if you do not have a certificate
signing request.
"OpenSSL users mailing list: Sign public key without having CSR or private
key?"
http://www.mail-archive.com/openssl-users@openssl.org/msg67968.html
http://www.mail-archive.com/openssl-users@openssl.org/msg67962.html

----------------------------------------------------------------------

Comment By: Dan Fandrich (dfandrich)
Date: 2012-09-19 13:43

Message:
Does this really buy you anything you wouldn't get by storing a copy of the
certificate on the local machine and passing that in?

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2012-09-19 13:40

Message:
A great idea!

Feel free to join us on the curl-library list and help us write code to
make this feature a reality!

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=350976&aid=3569642&group_id=976
Received on 2012-09-22

These mail archives are generated by hypermail.

donate! Page updated January 05, 2012.
web site info

File upload with ASP.NET