On Thu, 28 Jan 2010, Adrian Michel wrote:

> My app uses libcurl to make https requests based on this example
> http://curl.haxx.se/libcurl/c/https.html and I do not use a client side
> certificate. My goal is not to authenticate the server, as I also control
> the server side, but to ensure the requests and responses are encrypted. I'm
> wondering though if not having a client side certificate could make the
> application less secure, or have any other unintended consequences.

No, it won't make your client-side less secure, it will possibly make the
server-side less sure of who's really communication with it.

There's no additional encryption or anything going on when you use a client
certificate, it is "just" an added certificate.

> Also, when using a client certificate with libcurl, is there a way to pass
> it from memory instead of a file? Or is it required by the standards that
> the cert must be in a file? It would make deployment simpler if the cert was
> in a resource inside the executable.

I agree that it would be nifty to have such a way, but we have no such API
(yet). It has been as for before, so I'm sure you're not alone in wanting that
ability. You up to working to get it introduced?

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html