My original reason for asking this was I need to provide a workflow similar to a browser where, upon receiving a CURLE_SSL_CACERT error, I would display the server certificate details to the user and ask if they wanted to trust the certificate. Of course it was a chicken-vs.-egg problem in that I needed the connection to succeed before I could get the certificate.
One workaround I considered was creating a one-shot dummy connection with verification disabled to just grab and present the certificate details. However, I am now realizing that a bigger issue is setting CURLOPT_CERTINFO is not supported in all of the environments I am looking at supporting (e.g. OSX 10.9) due to particulars of the selected ssl implementation. Is there any other more generic way to get the server certificate information that does not rely on the underlying ssl implementation curl is using (debug callback looked like a possibility but awfully heavy handed)? Or do I need to consider building/bundling my own libcurl/libopenssl combination for each platform I want to support with my application? On Tue, Oct 29, 2013 at 6:00 PM, Rich Bramante <[email protected]> wrote: > Using libcurl 7.24.0 bundled on OSX 10.8.5 > > CURLOPT_SSL_VERIFYPEER 1 > CURLOPT_SSL_VERIFYHOST 2 > CURLOPT_CERTINFO 1 > > When a connection fails with CURLE_SSL_CACERT I attempt to get the > certificate information via CURLINFO_CERTINFO and then present those > details to the user. Unfortunately, curl_certinfo num_of_certs is > always 0 in this case. If I am able to connect either due to a valid > cert or disabling the verification checks I can then fetch this > information. I was able to reproduce this behavior with the certinfo.c > example. > > Is this expected behavior? ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
