|
cURL Mailing List Monthly Index Single Mail
curl-tracker Archives
[curl:bugs] #1348 RFE: add API for certificate pinning
From: Daniel Stenberg <bagder_at_users.sf.net>
Date: Tue, 25 Mar 2014 09:57:22 +0000
Thanks for starting this!
I'd like you to take this discussion to the curl-library list. You'll see that you'll reach FAR more people there and it is a better place to discuss new features and ways to do things.
In general, we have so many SSL backends we don't expect new features to be done for all of them at once. We should just make sure that the feature is designed in a way so that we believe it can be implemented by the other backends and then we do as many of them as possible. There are fans of a whole bunch of them on the list so there's a good chance we can work together to have something for the 3-5 most commonly used ones already from the start.
--- ** [bugs:#1348] RFE: add API for certificate pinning** **Status:** open **Labels:** SSL/TLS certificate **Created:** Mon Mar 24, 2014 03:33 PM UTC by Enrico Scholz **Last Updated:** Mon Mar 24, 2014 07:19 PM UTC **Owner:** Daniel Stenberg When using security sensitive applications (e.g. for accessing the Mozilla Persona verifier), it is often useful to do SSL certificate pinning instead of trusting into the x509 CA system. It would be nice when curl has an API supporting certificate pinning. This API should be reliable, easy to use and should be working across all the SSL backends ;) Unfortunately, this is not the case with the current library. E.g. CURLOPT_CERTINFO + CURLOPT_SSL_CTX_FUNCTION is supported with OpenSSL only, passing the certificate instead of the chain in CURLOPT_CAINFO works with OpenSSL only too. For certificate pinning, an easy access to the certificate fingerprint would be ideal. E.g. a CURLOPT_CERTFP option could be added which returns the fingerprint in CURLINFO_CERTFP. Type of hash could be either selected by the value of CURLOPT_CERTFP or by providing multiple CURLINFO_CERTFP_<hash> results. atm, I would prefer the first method. Alternatively, the whole certificate could be returned by CURLOPT_CERTIFICATE and CURLINFO_CERTIFICATE_DER/PEM options. --- Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/ To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.Received on 2014-03-25 These mail archives are generated by hypermail. |
Page updated March 21, 2014.
web site info