curl / Mailing Lists / curl-library / Single Mail


Re: Order of certificates in curl_certinfo

From: Ray Satiro via curl-library <>
Date: Thu, 25 Oct 2018 15:58:50 -0400

On 10/25/2018 3:20 PM, Martin Galvan via curl-library wrote:
> When using the CURLINFO_CERTINFO, the documentation says that a struct
> curl_certinfo gets populated with the peer's certificate chain, and
> the certs are accessible through the 'certinfo' member, which is an
> array. I'm wondering whether this array is "ordered", in that
> certinfo[num_of_certs -1] would return the top cert in the chain (be
> it the root cert or the last intermediate). If not, what would be a
> good way to detect which cert is the top, other than sorting them by
> Subject/Issuer?

I haven't checked all the backends so it might be implementation
specific, but I'll speak to OpenSSL. In openssl.c
SSL_get_peer_cert_chain is used to get the certinfo and according to
OpenSSL doc it "returns the peer chain as sent by the peer" [1][2].
Since the RFC requires the peer's cert first and "each following
certificate MUST directly certify the one preceding it" we can assume
there's order. Therefore I think you'd be right about the ordering in
*typical* cases but nothing is guaranteed.


Received on 2018-10-25