cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: curl + polarssl certificate validation problem

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 29 Jul 2010 23:47:15 +0200 (CEST)

On Sun, 25 Jul 2010, Paul Bakker wrote:

(I'm CC'ing this response to the curl-library list which might be a better
list to keep this discussion on.)

> Within the PolarSSL patch in cURL, there is a call to
> ssl_get_verify_result(), where the result of the certification validation is
> retrieved.
>
> In case of a self-signed certificate, where the CA certificate is not passed
> to the library as trusted, PolarSSL will return BADCERT_NOT_TRUSTED.

I believe there's a bug there.

The PolarSSL return code 'BADCERT_CN_MISMATCH' sounds like it indicates that
the host name that is requested doesn't match the peer's certificate. In
libcurl this is controlled by a separate bit than the one that checks all
other certificate details.

I don't have a polarssl install prepared right now to test, but I suggest a
patch similar to the one I attach here. I'll appreciate comments/flames/praise
on how it behaves.

-- 
  / daniel.haxx.se

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

TEXT/x-diff attachment: polarssl-verify.patch

Received on 2010-07-29

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: [PATCH v2] NTLM tests: boost coverage by forcing the hostname"
Previous message: Daniel Stenberg: "Re: Issue with the static OpenSSL library linking in LibCURL(HTTPS)."

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]