Feature Requests item #3569642, was opened at 2012-09-19 13:37
Message generated for change (Comment added) made by adrelanos
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=350976&aid=3569642&group_id=976
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: encryption
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: adrelanos (adrelanos)
Assigned to: Daniel Stenberg (bagder)
Summary: Pinning SSL certificates / check SSL fingerprints
Initial Comment:
Because SSL CA's have failed many times (Comodo, DigiNotar, ...) I wish to have
an option to pin a SSL certificate. The fingerprint may be optionally provided
through a new option.
Something like:
curl --tlsv1 --serial-number xx:yy:zz --fingerprint xxyyzz https://site.com?
----------------------------------------------------------------------
>Comment By: adrelanos (adrelanos)
Date: 2012-09-22 05:16
Message:
Ok, thank you very much, looks like this is becoming a documentation
enhancement rather than a feature request.
For myself to remember or anyone else interested....
For testing we need a .pem. Go to [CAcert's root certificate download
site](http://www.cacert.org/index.php?id=3) and download [Root Certificate
(PEM Format)](http://www.cacert.org/certs/root.crt).
While testing *sudo mv /usr/share/ca-certificates
/usr/share/ca-certificates_* was used.
Working:
curl --cacert ./root.crt https://www.cacert.org/ > cacert.html
Obviously failing:
curl https://www.cacert.org/ > cacert.html
And it obviously also fails, if something inside the certificate gets
modified. Fine.
The only open question which remains is, how to get the .pem from any
website?
----------------------------------------------------------------------
Comment By: Dan Fandrich (dfandrich)
Date: 2012-09-22 02:32
Message:
Here's a self-contained script using stunnel that works for me (using
stunnel 4.53, OpenSSL 1.0.0d and curl 7.21.5 or git HEAD). The stunnel cert
is self-signed so curl fails without the --cacert (or -k) option.
#!/bin/bash -x
python /usr/lib/python2.7/SimpleHTTPServer.py &
PYPID=$!
stunnel /dev/stdin << EOF
debug=6
foreground=no
pid=/tmp/s$$.pid
[http]
client=no
cert=/etc/pki/tls/certs/stunnel.pem
key=/etc/pki/tls/private/stunnel.pem
connect=8000
accept=8443
EOF
sleep 1
curl -v --cacert /etc/pki/tls/certs/stunnel.pem https://$(hostname):8443/
kill $PYPID
kill $(< /tmp/s$$.pid)
----------------------------------------------------------------------
Comment By: adrelanos (adrelanos)
Date: 2012-09-20 14:50
Message:
As far I understand --cacert pins the SSL Certificate Authority. There is
no option to pin the SSL Certificate directly.
If I am wrong,
1. please try to download a SSL certificate from a website
2. get it into curl usable form
3. deactivate systems ca-certificates (rename /usr/share/ca-certificates
for testing)
4. use the --cacert option with the downloaded certificate
It didn't work for me. If it does for your, please document your steps.
It's nowhere documented. I've been looking for this for some weeks already.
----------------------------------------------------------------------
Comment By: Dan Fandrich (dfandrich)
Date: 2012-09-20 13:38
Message:
I haven't played with this much, but passing the certificate in with
--cacert seemed to work for me on an OpenSSL-based curl.
----------------------------------------------------------------------
Comment By: adrelanos (adrelanos)
Date: 2012-09-19 14:56
Message:
curl ---cacert pins the certificate authority, not the certificate.
You can not easily use the certificate locally. That would require a new
feature, which I am requesting here.
You can also not easily run a local certificate authority. This is because
you can not easily sign a certificate, if you do not have a certificate
signing request.
"OpenSSL users mailing list: Sign public key without having CSR or private
key?"
http://www.mail-archive.com/openssl-users@openssl.org/msg67968.html
http://www.mail-archive.com/openssl-users@openssl.org/msg67962.html
----------------------------------------------------------------------
Comment By: Dan Fandrich (dfandrich)
Date: 2012-09-19 13:43
Message:
Does this really buy you anything you wouldn't get by storing a copy of the
certificate on the local machine and passing that in?
----------------------------------------------------------------------
Comment By: Daniel Stenberg (bagder)
Date: 2012-09-19 13:40
Message:
A great idea!
Feel free to join us on the curl-library list and help us write code to
make this feature a reality!
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=350976&aid=3569642&group_id=976
Received on 2012-09-22