cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSL sample (again)

From: Goetz Babin-Ebell <babin-ebell_at_trustcenter.de>
Date: Tue, 16 Dec 2003 15:50:15 +0100

Hello Jerry,

Jerry G. Chiuan wrote:
> I would add these 2 lines before curl_easy_perform( ):
>
> /* stop libcurl from verifying peer's SSL certificate during SSL handshake
> phrase, def: ON */
> curl_easy_setopt(m_curlHandle, CURLOPT_SSL_VERIFYPEER, FALSE);
> /* check only existence of hostname in peer certificate during SSL handshake
> phrase */
> curl_easy_setopt(m_curlHandle, CURLOPT_SSL_VERIFYHOST, 1);

That is not good.
HTTPS without peer verification is useless.

You can turn off client authentication,
but you never should turn of peer cert verification.

> ----- Original Message -----
> From: "Adrian Michel" <michel_at_pacbell.net>
> To: <curl-library_at_lists.sourceforge.net>
> Sent: Sunday, December 14, 2003 1:26 AM
> Subject: SSL sample (again)

>>I am trying to run the SSL sample provided in the 7.10.7 distribution
>>(curl-7.10.7\docs\examples\simplessl.c) and I am a little confused about
>>what certificates, keys etc I need to set. The call to curl_easy_perform
>>returns CURLE_SSL_CERTPROBLEM. I tried to run the sample using
>>curl-ca-bundle.crt (the certificate provided with curl.exe).
>>
>>I am not very familiar with SSL, and I would appreciate it if somebody
>>couuld post the modified sample that would work (with this certificate or
>>other).

The test program needs at least the file with CA certificates for
peer verification (cacert.pem).

With this file you verify you really connected the site you
wanted to connect.

An example CA cert file is lib/ca-bundle.crt.

If you don't want to use client authentication,
disable the lines
    curl_easy_setopt(curl,CURLOPT_SSLCERTTYPE,"PEM");
until
    curl_easy_setopt(curl,CURLOPT_SSLKEY,pKeyName);

I have attached a patch for the needed changes to use the
test program without client verification...

Bye

Goetz

-- 
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126

--- simplessl.c 2003-12-12 11:45:51.000000000 +0100
+++ simplessl_new.c 2003-12-16 15:44:49.000000000 +0100
@@ -16,18 +16,22 @@
 
 
 /* some requirements for this to work:
- 1. set pCertFile to the file with the client certificate
- 2. if the key is passphrase protected, set pPassphrase to the
- passphrase you use
- 3. if you are using a crypto engine:
- 3.1. set a #define USE_ENGINE
- 3.2. set pEngine to the name of the crypto engine you use
- 3.3. set pKeyName to the key identifier you want to use
- 4. if you don't use a crypto engine:
- 4.1. set pKeyName to the file name of your client key
- 4.2. if the format of the key file is DER, set pKeyType to "DER"
-
- !! verify of the server certificate is not implemented here !!
+ 1. you need a file with CA certificates to verify the peer.
+ This file must have the name cacert.pem
+ An example CA certificate file is ../../lib/ca-bundle.crt
+ 2. If you don't want to use client authentification:
+ 2.1. set pCertFile to NULL
+ 3. If you want to use client authentification:
+ 3.1. set pCertFile to the file with the client certificate
+ 3.2. if the key is passphrase protected, set pPassphrase to the
+ passphrase you use
+ 3.3. if you are using a crypto engine:
+ 3.3.1. set a #define USE_ENGINE
+ 3.3.2. set pEngine to the name of the crypto engine you use
+ 3.3.3. set pKeyName to the key identifier you want to use
+ 3.4. if you don't use a crypto engine:
+ 3.4.1. set pKeyName to the file name of your client key
+ 3.4.2. if the format of the key file is DER, set pKeyType to "DER"
 
    **** This example only works with libcurl 7.9.3 and later! ****
 
@@ -88,19 +92,22 @@
        }
                                 /* cert is stored PEM coded in file... */
                                 /* since PEM is default, we needn't set it for PEM */
- curl_easy_setopt(curl,CURLOPT_SSLCERTTYPE,"PEM");
+ if (pCertFile)
+ {
+ curl_easy_setopt(curl,CURLOPT_SSLCERTTYPE,"PEM");
                                 /* set the cert for client authentication */
- curl_easy_setopt(curl,CURLOPT_SSLCERT,pCertFile);
+ curl_easy_setopt(curl,CURLOPT_SSLCERT,pCertFile);
                                 /* sorry, for engine we must set the passphrase
                                    (if the key has one...) */
- if (pPassphrase)
- curl_easy_setopt(curl,CURLOPT_SSLKEYPASSWD,pPassphrase);
+ if (pPassphrase)
+ curl_easy_setopt(curl,CURLOPT_SSLKEYPASSWD,pPassphrase);
                                 /* if we use a key stored in a crypto engine,
                                    we must set the key type to "ENG" */
- curl_easy_setopt(curl,CURLOPT_SSLKEYTYPE,pKeyType);
+ curl_easy_setopt(curl,CURLOPT_SSLKEYTYPE,pKeyType);
                                 /* set the private key (file or ID in engine) */
- curl_easy_setopt(curl,CURLOPT_SSLKEY,pKeyName);
+ curl_easy_setopt(curl,CURLOPT_SSLKEY,pKeyName);
                                 /* set the file with the certs vaildating the server */
+ }
        curl_easy_setopt(curl,CURLOPT_CAINFO,pCACertFile);
                                 /* disconnect if we can't validate server's cert */
        curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,1);

-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click

Received on 2003-12-16