cURL / Mailing Lists / curl-library / Single Mail

curl-library

Generic SSL verification function

From: Enrico Scholz <enrico.scholz_at_ensc.de>
Date: Tue, 25 Mar 2014 13:35:48 +0100

Hi,

to support enhanced SSL certificate verifications like certificate
pinning I opened bug 1348[1] and implemented some ideas at github[2]
(atm, for NSS only)

Basically, the commits at github add a new CURLOPT_SSL_VERIFY option set
which defines a callback function and private data. It can be used like

  static int my_ssl_verify(unsigned int depth, void const *der,
                           size_t der_len, void *priv)
  {
    struct my_context *ctx = priv;

    if (depth != 0)
      return 0;

    /* pseudo or C++ code; C does not have such an != operator */
    if (sha1sum(der, der_len) != ctx->fingerprint) {
      logerr("certificate mismatch");
      return -1;
    }

    return 0;
  }

  curl_easy_setopt(curl, CURLOPT_SSL_VERIFY_FUNCTION, my_ssl_verify);
  curl_easy_setopt(curl, CURLOPT_SSL_VERIFY_DATA, my_ctx);

This verification function is called when all the other SSL verification
(CA Chain, CRL, Date) succeeded. It will be called with decreasing
'depth'; e.g. the first call will be with the root CA and the last one
with depth == 0 will be the server certificate.

I am not sure, whether all crypto backends support the extraction of the
whole CA chain, so it is guaranteed only that the function will be called
at least once and that the last call with be with depth 0. There might
be added CURLINFO_SSL_VERIFY_MAXDEPTH which returns 1 for backends with
incomplete CA chains and something else for complete ones. But this is
not implemented atm.

I think, this API can obsolete the CURLOPT_CERTINFO API because
application can extract the wanted information in the callback. It
is more usable for verification purposes because it happens during
connect (--> before sensitive data are sent to the server) and is
easy to implement in the application.

What do you think? Is such an API a good idea or is there a better way
to solve SSL certificate verification?

Enrico

Footnotes:
[1] https://sourceforge.net/p/curl/bugs/1348/

[2] https://github.com/ensc/curl/commits/ssl-verify

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-03-25