RE: Get SSL handle after connection has been established

Dmitry Karpov via curl-library Mon, 04 Nov 2024 11:43:06 -0800

Getting SSL* is a little bit tricky and hacky, so you need to be careful as 
libcurl doesn't provide a direct way to get OpenSSL handle
 and discourages from using it directly, especially for SSL_read/SSL_write as 
it may break how libcurl protocol filters work.


But if you really need to go that path and planning to use SSL* only for 
extracting some certificate info,
then here are the steps which you can try:

1. Register SSL context callback function via CURLOPT_SSL_CTX_FUNCTION option 
on the easy handle.
It will give you the ability to get SSL context (SSL_CTX*).

2. Once you have the SSL context, you can register SSL_VERIFY_PEER callback on 
that context:
  Like:
        SSL_CTX_set_verify(ctx_, SSL_VERIFY_PEER, sslVerifyCallback);

3. In the SSL verify peer callback, you can get the SSL handle like:

static int sslVerifyCallback(int valid_sig, X509_STORE_CTX* ctx) {
     auto ssl = (SSL*)(X509_STORE_CTX_get_ex_data(ctx,
         SSL_get_ex_data_X509_STORE_CTX_idx()));
     ...
     // Extract additional certificate info using OpenSSL API.
     ...
}

This is what I used in the past. 
Again, use it on your own risk, as you will not get any support for that kind 
of things.

Thanks,
Dmitry Karpov

-----Original Message-----
From: curl-library <curl-library-boun...@lists.haxx.se> On Behalf Of Patrick 
Schlangen via curl-library
Sent: Monday, November 4, 2024 12:51 AM
To: libcurl development <curl-library@lists.haxx.se>
Cc: Patrick Schlangen <patr...@schlangen.me>
Subject: [EXTERNAL] Get SSL handle after connection has been established

Hi,

I'd like to extract some information from the OpenSSL SSL* after connection 
establishment. Is there any callback / libcurl option I can use for that? 
Basically, I'd like to provide a callback which is invoked at about the point 
where libcurl also performs the CERTINFO extraction.

Background: I'd like to extract the certificate expiration date, but without 
the overhead of string parsing and all the other values captured by 
CURLOPT_CERTINFO.

Thanks,

Patrick
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html

RE: Get SSL handle after connection has been established

Reply via email to