---
** [bugs:#1471] CURLOPT_PINNEDPUBLICKEY documentation incomplete**
**Status:** open
**Created:** Fri Jan 16, 2015 03:06 PM UTC by Kyle
**Last Updated:** Fri Jan 16, 2015 03:06 PM UTC
**Owner:** Daniel Stenberg
The documentation for CURLOPT_PINNEDPUBLICKEY available at:
<http://curl.haxx.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html>
Does not state what happens when
BOTH CURLOPT_SSL_VERIFYHOST == 0 AND CURLOPT_SSL_VERIFYPEER == 0.
This is bad because (at least vtls/openssl.c) ignores the pinned public
key (other than to emit a verbose mode message) when VERIFYHOST and VERIFYPEER
are off.
For example (using curl 7.40 built with OpenSSL):
    cd /tmp
    openssl genrsa | openssl rsa -pubout > dummykey.pem
    curl -vI --pinnedpubkey dummykey.pem https://github.com/
This appears in the output:
    * SSL: public key does not match pinned public key!
    curl: (90) SSL: public key does not match pinned public key!
and curl's exit status is 90.  However, if we repeat like so:
    curl -vI -k --pinnedpubkey dummykey.pem https://github.com/
Then only this appears in the output:
    * SSL: public key does not match pinned public key!
And curl's exit status is 0.
That is completely unexpected and not mentioned anywhere in the docs for CURLOPT_PINNEDPUBLICKEY, so either it's a bug or the docs are wrong.  And while you might also want to VERIFYHOST when using a pinned public key, that shouldn't be required to use one.
Please take appropriate action.  I'm inclined to believe it's a bug because the whole point of using pinned public keys is so that you can completely ignore trusted root certificates etc. in favor of a pinned public key.
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.