We have a situation where we have a custom CA that has signed server and client certificates.
The server certificates have CNs (like "server-abcde") which are unrelated to the URL used to access them e.g. "https://192.168.100.2:8443/"; I think I need to leave CURLOPT_SSL_VERIFYPEER turned on to ensure the cert is signed by the correct CA. Obviously I don't libcurl to verify that the CN matches the URL as it won't. So I need to turn off CURLOPT_SSL_VERIFYHOST. However, I still want to check the CN against something, as I know what the CN should be. What I'd really like to do is supply some form of certificate validation callback which would allow me to inspect the CN and drop the connection if it is incorrect. However I don't think I can do that - correct? What is the easiest way to read the CN post connection but before I send any (private) data? Do I have to do CURLOPT_CERTINFO then wade through curl_easy_getinfo / CURLINFO_CERTINFO ? At what point is this information available? The man page says: "assuming you had CURLOPT_CERTINFO enabled when the previous request was done" which implies the data is only there where the request has completed - by which time it's obviously too late. -- Alex Bligh ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
