On 7/10/2015 7:24 AM, Alex Bligh wrote:
We have a situation where we have a custom CA that has signed server and client certificates.The server certificates have CNs (like "server-abcde") which are unrelated to the URL used to access them e.g. "https://192.168.100.2:8443/"; I think I need to leave CURLOPT_SSL_VERIFYPEER turned on to ensure the cert is signed by the correct CA. Obviously I don't libcurl to verify that the CN matches the URL as it won't. So I need to turn off CURLOPT_SSL_VERIFYHOST. However, I still want to check the CN against something, as I know what the CN should be. What I'd really like to do is supply some form of certificate validation callback which would allow me to inspect the CN and drop the connection if it is incorrect. However I don't think I can do that - correct? What is the easiest way to read the CN post connection but before I send any (private) data? Do I have to do CURLOPT_CERTINFO then wade through curl_easy_getinfo / CURLINFO_CERTINFO ? At what point is this information available? The man page says: "assuming you had CURLOPT_CERTINFO enabled when the previous request was done" which implies the data is only there where the request has completed - by which time it's obviously too late.
Yeah you can do all that if you have a backend that supports it [1][2] but it sounds like overkill for what you describe. An easier way would be map the CNs to their IP addresses using CURLOPT_RESOLVE [3] and that way you should be able to leave both sslverify options enabled.
struct curl_slist *host_list = NULL; host_list = curl_slist_append(NULL, "server-abcde:8443:192.168.100.2"); curl_easy_setopt(curl, CURLOPT_RESOLVE, host_list); curl_easy_setopt(curl, CURLOPT_URL, "https://server-abcde:8443/";); [1]: http://curl.haxx.se/libcurl/c/CURLOPT_SSL_CTX_FUNCTION.html [2]: http://curl.haxx.se/libcurl/c/curlx.html [3]: http://curl.haxx.se/libcurl/c/CURLOPT_RESOLVE.html ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
