cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: ssl options question

From: Tiberiu Motoc <tiberiu.motoc_at_gmail.com>
Date: Thu, 2 Apr 2009 14:32:13 -0700

On Thu, Apr 2, 2009 at 5:59 AM, Daniel Stenberg <daniel_at_haxx.se> wrote:
> On Wed, 1 Apr 2009, Tiberiu Motoc wrote:
>
>> How many ways are there to set ssl options? In the examples that I
>> successfully ran, it was enough to provide the CA certificate (and that is
>> all): curl_easy_setopt(curl,CURLOPT_CAINFO,"/home/..."). Why is the
>> simplessl example setting CURLOPT_SSLCERTTYPE and CURLOPT_SSLKEYTYPE? Is
>> this a different way of setting up an ssl connection - by using the SSL
>> certificate of the site and the key of the SSL certificate?
>
> You need to keep an eye on the details. There's a difference between a
> cacert bundle to verify the peer certificate, and a client certificate.
>
Thanks Daniel. I should have asked about CURLOPT_SSLCERT and
CURLOPT_SSLKEY, not about their types, but I think you understood what
I was asking.
I can't find a lot of stuff on the Internet about "peer certificates".
What exactly is a peer certificate and how does it differ from an ssl
certificate? Is a peer certificate an ssl certificate? If yes, then
why would anyone need to check the actual certificate (which is what I
suppose CURLOPT_SSLCERT and CURLOPT_SSLKEY do)? Why not check only the
certificate authority which released this certificate? (I apologize
for these questions. I know they are more "Internet security" than
"CURL".)

I noticed that when you set the CURLOPT_SSLKEY you have to provide the
unencrypted key. In my setup I cannot provide the unencrypted key
because I don't want the user to have access to it. Is that why a
crypto engine is necessary?

And one last question about my application: in my setup the web server
(URL) is static and doesn't change, and the client which is using CURL
accesses the server through SSL. I'm using SSL to provide encryption
from client to server only. Since I trust my server certificate, do I
really need to check it?

Thanks,
Tiberiu
>
>> Is there a browser (let's say Firefox) equivalent action for setting up
>> CURLOPT_SSLCERTTYPE and CURLOPT_SSLKEYTYPE?
>
> I don't know what format of client certificates Firefox supports.
>
> --
>
> / daniel.haxx.se
>
Received on 2009-04-02