cURL / Mailing Lists / curl-library / Single Mail


Re: SSL Client authentication

From: Daniel Stenberg <>
Date: Wed, 18 Apr 2001 10:01:14 +0200 (MET DST)

On Tue, 17 Apr 2001, Eric Rautman wrote:

> A question about client authentication using libcurl's
> curl_easy_setopt(curl, CURLOPT_SSLCERT, crtfile) function.
> the documentation mentions that 'crtfile' must contain the concatenation
> of the private key and the cert itself.

That's mainly because I never made it into two separate options. In fact,
someone should make libcurl offer to set them separately.

> Does this concatenated file need to be stored at the server?

No. Curl is not a server-side tool. Curl acts as a client and all you need
for curl is stored on curl's, the client's, side.

> If so, isn't this a serious security risk?

Storing the private key and certificate can always be a security risk and you
should always take necessary precautions to prevent others from accessing
your data. There's no difference if I contactenate the files or not though,
they're equally accessable to other persons.

> I thought the idea behind asymmetric encryption was to keep the private
> key at the host, not distribute it with the cert.

The file needed by curl is made from the two files concatenated, yes. It
doesn't mean you have to pass that file around in any way. If you need to
send your certificate to someone, then do that. *DON NOT* send the
contatenated file that has your private key as well.

> Or is the cert stored at the server without the private key concat'ed?

Correct, the server end does not have your private key stored.

> Does libcurl send this concat'ed file to the server at client
> authentication time, or just the cert itself?

The private key is used for the assymetric encryption in the SSL layer, the
private key is never "sent" anywhere by curl or SSL.

  Daniel Stenberg -- curl project maintainer --
Curl-library mailing list
Received on 2001-04-18