cURL / Mailing Lists / curl-library / Single Mail

curl-library

AW: Curl for https

From: Bunse, Stephan (Stephan) <stephan.bunse_at_alcatel-lucent.com>
Date: Fri, 2 Aug 2013 12:40:00 +0000

Hi,
It doesn't really help, but thanks for your answer. I was aware of that feature. But I am looking for a solution which I can place in a C library. Naturally, I can initiate a system call from the C code, get the result and do some string stuff. But I think there should be a better solution for this problem.

Stephan

Von: curl-library [mailto:curl-library-bounces_at_cool.haxx.se] Im Auftrag von Mischa Salle
Gesendet: Freitag, 2. August 2013 12:48
An: libcurl development
Betreff: Re: Curl for https

Hi,

If you just need to grab the certificate with a cmdline tool, you can use e.g. openssl s_client:
 openssl s_client -connect www.example.com:443<http://www.example.com:443>
You can get the whole chain (not in your case) with
 openssl s_client -showcerts -connect www.example.com:443<http://www.example.com:443>
Then just copy & paste the lines starting from BEGIN CERTIFICATE till END CERTIFICATE, which is just the pem encoded cert files.

Hope this is of any help,
Mischa

On Fri, Aug 2, 2013 at 10:37 AM, Bunse, Stephan (Stephan) <stephan.bunse_at_alcatel-lucent.com<mailto:stephan.bunse_at_alcatel-lucent.com>> wrote:
Hello,

I know about the security reasons, and the principle procedure. But right now I'm blocked with the first step: How to download the certificate? I tried to use CURLOPT_CERTINFO and investigated the result with curl_easy_getinfo with the option CURLINFO_CERTINFO. Unfortunately, the API description is somewhat vague and I need a more detailed description how to do that.

Stephan

On Aug 1, 2013, at 7:26 AM, "Bunse, Stephan (Stephan)" <stephan.bunse_at_alcatel-lucent.com<mailto:stephan.bunse_at_alcatel-lucent.com>> wrote:

> Hello,
>
> I want to write a program, which retrieves information using https. Unfortunately, the server has a self signed certificate, so curl fails, unless the options CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST are set to 0. That works, but I would like to download the certificate of the server, store it and check against it next time. Does anybody have an idea how to do this?

I can't really recommend programming an HTTPS client that arbitrarily accepts self-signed certificates for obvious security reasons. It's probably better to distribute the certificate with the program if it is the legitimate certificate.

Anyway, to allow libcurl to work with self-signed certificates once you have one: If you are using Schannel or Secure Transport for TLS, then you must import the certificate into the system and mark it as trusted. For all other engines, save the certificate, and pass the path to it into curl_easy_setopt() with the option CURLOPT_CAINFO.

Nick Zitzmann
<http://www.chronosnet.com/>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

--
Van Boshuizenstraat 443
1082 AR Amsterdam
The Netherlands
Tel. (+31/0)20-4043782

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-08-02