cURL / Mailing Lists / curl-library / Single Mail

curl-library

Finer control over certificate verification in SSL

From: Don Dwiggins <don_at_dondwiggins.net>
Date: Tue, 01 Jun 2010 16:03:13 -0700

I have an application that includes a web server acting as a client to a
"backend" server (using XMLRPC over HTTP), which has been working well.
 Now, I want to secure the connection using SSL, with the client
verifying the backend server's certificate against a CA cert. I have
this partially working.

The problem I have is this: the application can be configured so that
multiple backend serves may exist on the same machine, distinguished by
their port numbers. So, I set the CN in the server certificate to
something like "foo.bar.com:4060".

Unfortunately, when I set CURLOPT_SSL_VERIFYHOST to 2, the verification
fails, because apparently libcurl only uses the host name to match the CN.

So, is there a way to tell libcurl to use the port name as well, or to
"take control" of verification with a function of my own? Alternately,
can I get access to the CN of the server certificate after "level 1"
verification, so I can write my own verification of the host name and port?

(By the way, I'm using Zend Framework's Curl Adapter on the client side,
which in turn uses the PHP curl wrapper.)

Thanks for any good words,

-- 
Don Dwiggins
Advanced Publishing Technology

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2010-06-02