cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: libcURL - OSX 10.10 - client certificates (CURLOPT_SSLCERT)

From: Joe Mason <jmason_at_blackberry.com>
Date: Tue, 3 Feb 2015 16:04:57 +0000

> From: curl-library [curl-library-bounces_at_cool.haxx.se] on behalf of Hölzl, Dominik [Dominik.Hoelzl_at_fabasoft.com]
> Subject: libcURL - OSX 10.10 - client certificates (CURLOPT_SSLCERT)
>
> Has anybody experience with client certificates (CURLOPT_SSLCERT) on Mac OSX (10.10)?

Yes, but not on OSX specifically.
 
> I could not find a callback method which indicates the requirement of a client certificate for a request (a point where I can ask the user to select one of the in the key store installed client certificates).

Use CURLOPT_SSL_CTX_FUNCTION to set a callback that gets called during setup of an SSL connection. From this function, use SSL_CTX_set_client_cert_cb to set the callback you're looking for:

int sslClientCertCallback(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
{
    // At this point you can set the client cert immediately by filling in x509 and pkey, or return a code to suspend the handshake if you need to prompt for the cert asynchronously. See https://www.openssl.org/docs/ssl/SSL_CTX_set_client_cert_cb.html.
}

CURLcode sslContextCallback(CURL *handle, SSL_CTX *context, void *userdata)
{
    SSL_CTX_set_client_cert_cb(context, &sslClientCertCallback);
    return EOK;
}

curl_easy_setopt(handle, CURLOPT_SSL_CTX_FUNCTION, &sslContextCallback);
curl_easy_setopt(handle, CURLOPT_SSL_CTX_DATA, userdata);

> If I want to use another client certificate (by setting another CN) within the same process but for a new request, cURL seems to ignore this and always uses the certificate used in the first successful
> request. How can I clear this SSL-cache? I have tried CURLOPT_FRESH_CONNECT/TRUE and CURLOPT_SSL_SESSIONID_CACHE/FALSE without effect.
>
> If I do not set CURLOPT_SSLCERT for a request, cURL seems to take a random installed certificate (not the certificate configured by an identity preference in the key store) or it randomly throws a
> CURLE_SSL_CONNECT_ERROR.

I've never seen these issues.

Joe
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-02-03