cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Custom verification of server side certs

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 10 Jul 2015 18:44:57 -0400

On 7/10/2015 7:24 AM, Alex Bligh wrote:
> We have a situation where we have a custom CA that has signed
> server and client certificates.
>
> The server certificates have CNs (like "server-abcde") which
> are unrelated to the URL used to access them e.g.
> "https://192.168.100.2:8443/"
>
> I think I need to leave CURLOPT_SSL_VERIFYPEER turned on to
> ensure the cert is signed by the correct CA.
>
> Obviously I don't libcurl to verify that the CN matches the URL
> as it won't. So I need to turn off CURLOPT_SSL_VERIFYHOST. However, I
> still want to check the CN against something, as I know what the
> CN should be.
>
> What I'd really like to do is supply some form of certificate validation
> callback which would allow me to inspect the CN and drop the
> connection if it is incorrect.
>
> However I don't think I can do that - correct?
>
> What is the easiest way to read the CN post connection but before
> I send any (private) data? Do I have to do CURLOPT_CERTINFO
> then wade through curl_easy_getinfo / CURLINFO_CERTINFO ? At
> what point is this information available? The man page says:
>
> "assuming you had CURLOPT_CERTINFO enabled when the previous
> request was done"
>
> which implies the data is only there where the request has
> completed - by which time it's obviously too late.

Yeah you can do all that if you have a backend that supports it [1][2]
but it sounds like overkill for what you describe. An easier way would
be map the CNs to their IP addresses using CURLOPT_RESOLVE [3] and that
way you should be able to leave both sslverify options enabled.

struct curl_slist *host_list = NULL;
host_list = curl_slist_append(NULL, "server-abcde:8443:192.168.100.2");
curl_easy_setopt(curl, CURLOPT_RESOLVE, host_list);
curl_easy_setopt(curl, CURLOPT_URL, "https://server-abcde:8443/");

[1]: http://curl.haxx.se/libcurl/c/CURLOPT_SSL_CTX_FUNCTION.html
[2]: http://curl.haxx.se/libcurl/c/curlx.html
[3]: http://curl.haxx.se/libcurl/c/CURLOPT_RESOLVE.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-07-11

This message: [ Message body ]
Next message: Dr. Roger Cuypers: "AW: AW: Difference between CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER?"
Previous message: Ray Satiro via curl-library: "Re: [SECURITY NOTICE] libidn with bad UTF8 input"
In reply to: Alex Bligh: "Custom verification of server side certs"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]