In reply to Kevin Lowe's email,

first let me thank you, for the attention.
Second, the problem still exists, I converted the certificate to 3 pem files
(attached), without any password required (not very secure, I know), but It
fail to be recognized with curl.
The same 3 certificate files ARE working with other implementation, based on
C and Openssl.

The code as I use it know:

                        if ($ch = curl_init()) {
                        if ( ( curl_setopt($ch, CURLOPT_URL,
CC_POST_URL))
                                &&(curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST,
2))
                                &&(curl_setopt($ch, 'CURLOPT_SSLCERTTYPE',
'PEM'))
                                &&(curl_setopt($ch, CURLOPT_SSLKEYTYPE,
'PEM'))
                                &&(curl_setopt($ch, CURLOPT_SSLCERT,
'cert.pem'))
                                &&(curl_setopt ($ch, CURLOPT_SS
<<certkey.pem>> <<cert.pem>> LCERTPASSWD, ''))
                                &&(curl_setopt($ch, CURLOPT_SSLKEY,
'certkey.pem'))
                                &&(curl_setopt($ch, CURLOPT_SSLKEYPASSWD,
''))

 <<certca.pem>>
                                &&(curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,
1))
                                &&(curl_setopt($ch, CURLOPT_CAINFO,
'certca.pem'))

                                &&(curl_setopt($ch, CURLOPT_POSTFIELDS,
$param))
                                &&(curl_setopt($ch, CURLOPT_RETURNTRANSFER,
0))
                                ) {

                                echo htmlentities(curl_exec ($ch));
                        }
                }

I'm doing this on w2k professional, PHP 4.3.2, has CGI on IIS5.

A small introduction to the topic,

I need to perform a HTTPS POST to a certain site. Nothing new!
But I'm required to do it with a client certificate.
(I'm also doing it throught a proxy! But works fine.)

Let's take a look at the code:

                if ($ch = curl_init()) {
                        if ( ( curl_setopt($ch, CURLOPT_URL, POST_URL))
                                &&(curl_setopt($ch, CURLOPT_HEADER, 0))
                                &&(curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,
0))
                                &&(curl_setopt($ch, CURLOPT_RETURNTRANSFER,
0))
                                &&(curl_setopt($ch, CURLOPT_CAINFO,
'C:/ca.pem'))
                                &&(curl_setopt($ch, CURLOPT_SSLCERT,
'C:/c.pem'))
                                &&(curl_setopt($ch, CURLOPT_SSLVERSION, 3))
                                &&(curl_setopt($ch, CURLOPT_POSTFIELDS,
$param))
                                ) {

                                if (CC_PROXY)
                                        curl_setopt($ch, CURLOPT_PROXY,
CC_PROXY);
                                if (CC_PROXY_USER)
                                        curl_setopt($ch,
CURLOPT_PROXYUSERPWD, CC_PROXY_USER);

                                echo htmlentities(curl_exec ($ch));
                        }

                        curl_close($ch);
                }

And this code works, but the server doesn't recognize the client cert. In
the past I programmed SSL with openssl, and I got the idea that I have to
pass a third file, the private key, to do this. How can I pass it with curl
and php? (I believe curl makes it available).

The cert is public (for testing and is in pkcs12 format, and I have
converted it to pem, has I done before).

Comments anyone?

Nelson Gomes
Security Developer & Electronic Payments

............................................................................
...........

-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1