cURL / Mailing Lists / curl-library / Single Mail


Client certificate callbacks from OpenSSL

From: Dave W <>
Date: Mon, 3 Mar 2014 13:10:32 +0000


I am using libcurl in conjunction with OpenSSL.

I would like to receive a callback whenever an SSL connection requests
a client certificate. I see this can be done with OpenSSL's

This fits in nicely with CURLOPT_SSL_CTX_FUNCTION, which instructs
libcurl to call back whenever a new SSL connection is being created;
the prototype is:

CURLcode (*ssl_ctx_fn)(CURL* curl, SSL_CTX* sslctx, void* param)

The problem I have is mapping the OpenSSL client certificate callback
to a CURL*.

The callback has this prototype:

 int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);

i.e. it gives me an SSL*, from which I can get the corresponding
SSL_CTX*, which I can then map back to a CURL*.

However, it might map back to the "wrong" CURL*, say if SSL
re-negotiation takes place:

- CURL* 1 makes a request to an HTTPS URL which doesn't require a
client cert; libcurl calls back when the SSL_CTX is created
- CURL* 2 then makes another request to an HTTPS URL on the same
server (thus re-using the connection), however this URL *does* require
a client cert so OpenSSL calls the client_cert_cb

The SSL* provided will map to the SSL_CTX* from the first request, and
from there back to CURL* 1, which is not correct.

I guess the underlying problem is that I can't find any way to
associate the SSL* with a CURL*. Does anyone have any ideas, or would
I have to modify the libcurl source?

Dave w
List admin:
Received on 2014-03-03