Thank you all for your input. It lead me to a little investigation and as it turns out I didn't know what I was doing with the keys. Originally the client key was signed by the client itself. I now have client keys, signed by the web server. And can run simplessl.c with my keys and curl_easy_setopt(curl,CURLOPT_CAINFO,pCACertFile) disabled. Curious though how `curl -E cert url` worked in the original scenerario when simplessl.c did not.
On 20 August 2012 04:31, Ralph Mitchell <[email protected]> wrote: > On Sun, Aug 19, 2012 at 1:57 PM, Daniel Stenberg <[email protected]> wrote: >> >> On Sun, 19 Aug 2012, Ralph Mitchell wrote: >> >>>> static const char *pCertFile = "cert.pem"; >>>>> >>>>> static const char *pCACertFile="cert.pem"; >>>> >>>> >>>> This seems like a highly unlikely scenario. The same file, really? >>> >>> >>> A self-signed cert would be its own CA cert, so it's possible. >> >> >> But the pCertFile is the SSL _client_ cert. It would mean that he uses the >> client cert file to verify the server cert and still also use that to >> authenticate to the server. It might be possible, but my money is on a >> mistake or misunderstanding somewhere. > > > Yes, true!! The *server* would need to have the client's CA chain to > validate the client cert, and the *client* would need the server's CA chain > to validate the server cert. If the OP has a self-signed CA cert that > signed both the client and server certs, the chain file would be the same > for both ends.. > > However, command-line curl must have successfully validated the server using > just the CApath: > > * successfully set certificate verify locations: > * CAfile: none > CApath: /etc/ssl/certs > > so pCACertFile doesn't need setting to cert.pem. > >>> so the key would need to be in the same file too. The one thing that I'm >>> not sure about is the compiled program reporting: >>> >>> * found 142 certificates in /etc/ssl/certs/ca-certificates.crt >>> >>> when it *should* be looking for CA certs in the file designated by >>> pCACertFile. Does libcurl automatically look in ca-certificates as well as >>> any file you designate? >> >> >> Very good remark there! No, libcurl will in that case only use the single >> file specified in the setopt. It would indicate that he actually has 142 >> certificates in the file. That also hints that it isn't a client cert at >> all... > > > In command-line curl, -E <filename> specifies a file containing both key and > matching certificate. Is libcurl going to bail out if it finds multiple > unrelated certificates in that file, as well as the expected key/cert > entries? Does the order of the entries matter? > > Personally, I'd prefer to keep the key, cert and chain files separate, so I > know what's where, but I can see there might be reasons for keeping the pem > files in one big lump. > > Ralph Mitchell > > ------------------------------------------------------------------- > List admin: http://cool.haxx.se/list/listinfo/curl-library > Etiquette: http://curl.haxx.se/mail/etiquette.html ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
