My original reason for asking this was I need to provide a workflow
similar to a browser where, upon receiving a CURLE_SSL_CACERT error, I
would display the server certificate details to the user and ask if
they wanted to trust the certificate. Of course it was a
chicken-vs.-egg problem in that I needed the connection to succeed
before I could get the certificate.

One workaround I considered was creating a one-shot dummy connection
with verification disabled to just grab and present the certificate
details. However, I am now realizing that a bigger issue is setting
CURLOPT_CERTINFO is not supported in all of the environments I am
looking at supporting (e.g. OSX 10.9) due to particulars of the
selected ssl implementation.

Is there any other more generic way to get the server certificate
information that does not rely on the underlying ssl implementation
curl is using (debug callback looked like a possibility but awfully
heavy handed)? Or do I need to consider building/bundling my own
libcurl/libopenssl combination for each platform I want to support
with my application?

On Tue, Oct 29, 2013 at 6:00 PM, Rich Bramante <rich.bramante_at_gmail.com> wrote:
> Using libcurl 7.24.0 bundled on OSX 10.8.5
>
> CURLOPT_SSL_VERIFYPEER 1
> CURLOPT_SSL_VERIFYHOST 2
> CURLOPT_CERTINFO 1
>
> When a connection fails with CURLE_SSL_CACERT I attempt to get the
> certificate information via CURLINFO_CERTINFO and then present those
> details to the user. Unfortunately, curl_certinfo num_of_certs is
> always 0 in this case. If I am able to connect either due to a valid
> cert or disabling the verification checks I can then fetch this
> information. I was able to reproduce this behavior with the certinfo.c
> example.
>
> Is this expected behavior?
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-11-07