cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSL with Client Cert but without Server cert validation?

From: Oscar Koeroo <okoeroo_at_nikhef.nl>
Date: Wed, 03 Oct 2012 09:47:41 +0200

On 02-10-12 19:55, Bill Lear wrote:
> I have an unusual situation with an embedded SSL client using libcurl.
>
> I need to send a client certificate to the server for validation even though the client does not validate the server certificate. (CURLOPT_SSL_VERIFYPEER = 0)
>
> Is this possible? I have confirmed that I can establish a connection when I supply a CACert bundle and set VERIFYPEER = 1, but the connection is refused when I set VERIFYPEER = 0.
>
> Thanks,
>
> Bill

Hi,

Do you have more information on how/why it failed. For example by using the
verbose output?

There are two options to toggle:
    curl_easy_setopt(hc->curl, CURLOPT_SSL_VERIFYPEER, 1L);
    curl_easy_setopt(hc->curl, CURLOPT_SSL_VERIFYHOST, 2L);

Details are available in the documentation. Setting both to zero is equal to
the "-k" option.

If you also want to remove the usage of the default included CA bundle (this
is an add-on to the previous options), then you could write a small SSL_CTX
callback function:
    curl_easy_setopt(hc->curl, CURLOPT_SSL_CTX_FUNCTION, *sslctx_function);

This callback function will prepare a bare SSL_CTX and by default is has no
default CA location inclusion, like the CA bundle file.

        Oscar
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-10-03