On Thu, 28 Jan 2010, Adrian Michel wrote:
My app uses libcurl to make https requests based on this example http://curl.haxx.se/libcurl/c/https.html and I do not use a client side certificate. My goal is not to authenticate the server, as I also control the server side, but to ensure the requests and responses are encrypted. I'm wondering though if not having a client side certificate could make the application less secure, or have any other unintended consequences.
No, it won't make your client-side less secure, it will possibly make the server-side less sure of who's really communication with it.
There's no additional encryption or anything going on when you use a client certificate, it is "just" an added certificate.
Also, when using a client certificate with libcurl, is there a way to pass it from memory instead of a file? Or is it required by the standards that the cert must be in a file? It would make deployment simpler if the cert was in a resource inside the executable.
I agree that it would be nifty to have such a way, but we have no such API (yet). It has been as for before, so I'm sure you're not alone in wanting that ability. You up to working to get it introduced?
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
