Re: Disabling Server's Issue Date Validation with libcurl
Date: Thu, 9 Jan 2020 16:27:36 +0530
For better readability, I have added my question over here:
https://stackoverflow.com/questions/59662414/disabling-ssl-issue-date-validation-with-libcurl
On Thu, Jan 9, 2020 at 3:05 PM Abhi Arora <engr.abhiarora_at_gmail.com> wrote:
> I am trying to disable Server's Certificate Issue Date Validation in Curl.
> For that, I have registered a "own_verify_callback" by calling
> "SSL_CTX_set_verify" in "sslContextVerify" function
> ("curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslContextVerify);").
>
> The "own_verify_callback" gets called and it returns 1 but still curl
> connection fails. I have set the system date and time to 1990.
>
> The code is below. Please help! I am struck with it.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *static int own_verify_callback(int preverify, X509_STORE_CTX* x509_ctx){
> /* For error codes, see http://www.openssl.org/docs/apps/verify.html
> <http://www.openssl.org/docs/apps/verify.html> */ int err =
> X509_STORE_CTX_get_error(x509_ctx); // if (preverify) // return
> preverify; logger::Logger::error(std::string("--CURL: Error = ") +
> std::to_string(err)); if(err == X509_V_ERR_CERT_NOT_YET_VALID)
> logger::Logger::error("--CURL: Error = X509_V_ERR_CERT_NOT_YET_VALID"); if
> ((err == X509_V_OK) or (err == X509_V_ERR_CERT_NOT_YET_VALID)) return
> 1; return 1;}static CURLcode sslContextVerify(CURL* curl, void* ssl_ctx,
> void* user_ptr) { (void) curl; /* avoid warnings */ int ret; ret =
> SSL_CTX_use_certificate((SSL_CTX*) ssl_ctx, ((CertStore*)
> user_ptr)->getCert()); if (ret != 1) { logger::Logger::error("PKI
> Authentication: Set Certificate context failed."); return
> CURLE_SSL_CERTPROBLEM; } //ret = SSL_CTX_use_RSAPrivateKey((SSL_CTX*)
> ssl_ctx, ((CertStore*) user_ptr)->getKey()); EVP_PKEY *k; k =
> EVP_PKEY_new(); if (!k){ return CURLE_SSL_CERTPROBLEM; }
> EVP_PKEY_set1_EC_KEY(k, ((CertStore*) user_ptr)->getKey()); ret =
> SSL_CTX_use_PrivateKey((SSL_CTX*) ssl_ctx, k); EVP_PKEY_free(k); if (ret
> != 1) { logger::Logger::error("PKI Authentication: Set Key context
> failed."); return CURLE_SSL_CERTPROBLEM; } SSL_CTX_set_verify((SSL_CTX
> *)ssl_ctx, SSL_VERIFY_PEER, own_verify_callback); /* all set to go */
> return CURLE_OK;}std::map<std::string, std::string>
> PkiAuthenticator::authenticate() { logger::Logger::info("Authenticating
> with PKI..."); std::ostringstream request_url_str_stream;
> request_url_str_stream << this->auth_endpoint; if
> (this->auth_endpoint.find_last_of('/') != this->auth_endpoint.size() - 1)
> { request_url_str_stream << '/'; } request_url_str_stream <<
> PkiAuthenticator::ENDPOINT_PATH; request_url_str_stream <<
> this->system_type; std::string request_url(request_url_str_stream.str());
> CURL* curl = curl_easy_init(); curl_easy_setopt(curl, CURLOPT_URL,
> request_url.c_str()); curl_easy_setopt(curl, CURLOPT_HTTPGET, true);
> curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true);
> curl_easy_setopt(curl, CURLOPT_FRESH_CONNECT, true);
> curl_easy_setopt(curl, CURLOPT_TIMEOUT_MS, 30000L); curl_easy_setopt(curl,
> CURLOPT_VERBOSE, false); curl_easy_setopt(curl, CURLOPT_CAPATH,
> "/etc/ssl/certs/ca-bundle.pem"); curl_easy_setopt(curl, CURLOPT_CAINFO ,
> "/etc/ssl/certs/ca-bundle.pem"); curl_easy_setopt(curl,
> CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); /*curl_easy_setopt(curl,
> CURLOPT_SSL_CIPHER_LIST, "ECDHE-ECDSA-AES128-GCM-SHA256,"
> "ECDHE-ECDSA-AES128-CBC-SHA256,"
> "ECDHE-ECDSA-AES256-GCM-SHA384,"
>
> "ECDHE-ECDSA-AES256-CBC-SHA384,"
> "ECDHE-RSA-AES256-GCM-SHA384,"
> "ECDHE-RSA-AES128-GCM-SHA256,"
> "ECDHE-RSA-AES256-CBC-SHA384,"
> "ECDHE-RSA-AES128-CBC-SHA256");*/curl_easy_setopt(curl,
> CURLOPT_SSL_CIPHER_LIST, "ECDHE-ECDSA-AES128-GCM-SHA256,"
> "ECDHE-ECDSA-AES128-CBC-SHA256,"
> "ECDHE-ECDSA-AES256-GCM-SHA384,"
>
> "ECDHE-ECDSA-AES256-CBC-SHA384"); assert(curl != NULL);
> utility::MemoryBuffer response_buffer(0); curl_easy_setopt(curl,
> CURLOPT_WRITEFUNCTION, &memoryBufferWrite); curl_easy_setopt(curl,
> CURLOPT_WRITEDATA, &response_buffer); utility::MemoryBuffer
> header_buffer(0); curl_easy_setopt(curl, CURLOPT_HEADERDATA,
> &header_buffer); curl_easy_setopt(curl, CURLOPT_HEADERFUNCTION,
> &memoryBufferWrite); char error_buffer[CURL_ERROR_SIZE];
> curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, error_buffer); error_buffer[0]
> = 0; // Set as empty string curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA,
> this->cert_store); CURLcode ret = curl_easy_setopt(curl,
> CURLOPT_SSL_CTX_FUNCTION, sslContextVerify); if (ret ==
> CURLE_NOT_BUILT_IN) { logger::Logger::error("SSL context function not
> built in. Cannot perform PKI with this OpenSSL-CURL build."); throw
> std::runtime_error("SSL context function not built in. Cannot perform PKI
> with this OpenSSL-CURL build."); } CURLcode curl_return_code;
> curl_return_code = curl_easy_perform(curl); if (curl_return_code !=
> CURLE_OK) { std::ostringstream error_msg; error_msg << "--CURL Error:
> "; error_msg << error_buffer; if (errno) { error_msg << ": " <<
> strerror(errno); } curl_easy_cleanup(curl);
> logger::Logger::error(error_msg.str()); throw
> std::runtime_error(error_msg.str()); }}*
>
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-01-09