Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: ssl-pinning in libcurl

From: venkatesh perumalla <perumalla.venki_at_gmail.com>
Date: Thu, 25 Jul 2013 10:50:32 +0530

But the comments of the function "servercert", it looks like it handles the
"man in the middle attack".
Should we have to do anything extra for avoiding "man in the middle attack".

/*
 * Get the server cert, verify it and show it etc, only call failf() if the
 * 'strict' argument is TRUE as otherwise all this is for informational
 * purposes only!
 *
 * We check certificates to authenticate the server; otherwise we risk
 * man-in-the-middle attack.
 */

On Thu, Jul 25, 2013 at 12:30 AM, Nick Zitzmann <nick_at_chronosnet.com> wrote:

> (This is the list for discussions of curl. We ought to move this
> conversation to the curl-library mailing list; I'm responding to this list
> just in case you haven't subscribed to it. But follow-ups should go there.)
>
> On Jul 24, 2013, at 7:51 AM, venkatesh perumalla <
> perumalla.venki_at_gmail.com> wrote:
>
> > Hi,
> >
> > Whether curl does the ssl-pinning which can avoid "man in the middle
> attack".
> > Does it do the strict validation. As explained in below link.
> > https://www.owasp.org/index.php/Pinning_Cheat_Sheet#OpenSSL
>
> You can do this yourself, if you're using the OpenSSL back-end, by using
> the CURLOPT_SSL_CTX option and overriding the certificate verification
> callback. There isn't yet an option to let the library do this. If you'd
> like one, then consider writing a patch that does it for as many back-ends
> as possible.
>
> > In servercert function does it do all the validations.
> > by setting CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER.
>
> Yes, and they are turned on by default. I don't recommend you change those
> settings unless you really know what you're doing.
>
> Nick Zitzmann
> <http://www.chronosnet.com/>
>
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-users
> FAQ: http://curl.haxx.se/docs/faq.html
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-07-25