I got what I needed,

Only setting CURLOPT_SSL_VERIFYHOST to 2 is not enough as
      curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2);

Additionally I had to set following,

curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(curl,CURLOPT_CAINFO, NULL);
curl_easy_setopt(curl,CURLOPT_CAPATH, NULL);

Which gaurantees validation of ceritificate using 'hostname' or
'ipaddress' of URL.

Thanks,
Nilesh

Nilesh wrote:

> Hi All,
>
> Requirement: Want to validate certificate coming for server when
> 'https' is used
> My application wants to validate certificate coming for server. This
> validation should be based on only ipaddress/hostname of the server
> which will be part of the certificate subject as CN (CommonName). My
> application know hostname/ipaddress of server from which certificate
> will come.
>
> Curl support: version 7.15.1, with openssl 0.9.7
> Curl gives an option CURLOPT_SSL_VERIFYHOST to check if certificate is
> coming from desired server.
> What man page says is curl will compare hostname/ipaddress of the URL
> with CN of incoming certificate.
> But what I found is it requires local certificate with CN name set to
> hostname/ipaddress. This certificate has to be stored on client side
> specified by CURLOPT_CAINFO and CURLOPT_CAPATH.
> As I understand it will basically compare CN portion of the
> certificates (inside stored local certificate and incoming
> certificate) and say if it is valid or not. Am I correct ?
>
> Query:
> Is it possible if I can specify (set) the ipaddress/hostname and let
> curl use only that for comparing against CN of certificate coming from
> server ?
> That way I don't require certifcate to be stored on client side
> beforehand.
>
> I hope I am clear on issue I am facing while doing certificate
> validation. Let me know if anybody want piece of code I tried.
>
> Any criticism, help, direction, knowledge, workaround in this regard
> will be helpful and thankful.
>
>
> Thanks,
> Nilesh
Received on 2006-03-22