cURL / Mailing Lists / curl-library / Single Mail


Re: libcurl with client ssl certificate

From: Ralph Mitchell <>
Date: Sun, 19 Aug 2012 14:31:07 -0400

On Sun, Aug 19, 2012 at 1:57 PM, Daniel Stenberg <> wrote:

> On Sun, 19 Aug 2012, Ralph Mitchell wrote:
> static const char *pCertFile = "cert.pem";
>>>> static const char *pCACertFile="cert.pem";
>>> This seems like a highly unlikely scenario. The same file, really?
>> A self-signed cert would be its own CA cert, so it's possible.
> But the pCertFile is the SSL _client_ cert. It would mean that he uses the
> client cert file to verify the server cert and still also use that to
> authenticate to the server. It might be possible, but my money is on a
> mistake or misunderstanding somewhere.

Yes, true!! The *server* would need to have the client's CA chain to
validate the client cert, and the *client* would need the server's CA chain
to validate the server cert. If the OP has a self-signed CA cert that
signed both the client and server certs, the chain file would be the same
for both ends..

However, command-line curl must have successfully validated the server
using just the CApath:

     * successfully set certificate verify locations:
     * CAfile: none
       CApath: /etc/ssl/certs

so pCACertFile doesn't need setting to cert.pem.

so the key would need to be in the same file too. The one thing that I'm
>> not sure about is the compiled program reporting:
>> * found 142 certificates in /etc/ssl/certs/ca-**certificates.crt
>> when it *should* be looking for CA certs in the file designated by
>> pCACertFile. Does libcurl automatically look in ca-certificates as well as
>> any file you designate?
> Very good remark there! No, libcurl will in that case only use the single
> file specified in the setopt. It would indicate that he actually has 142
> certificates in the file. That also hints that it isn't a client cert at
> all...

In command-line curl, -E <filename> specifies a file containing both key
and matching certificate. Is libcurl going to bail out if it finds
multiple unrelated certificates in that file, as well as the expected
key/cert entries? Does the order of the entries matter?

Personally, I'd prefer to keep the key, cert and chain files separate, so I
know what's where, but I can see there might be reasons for keeping the pem
files in one big lump.

Ralph Mitchell

List admin:
Received on 2012-08-19