As per scenarios when mTLS is used (e.g. server requires client certificate to be specified), as part of TLS protocol server may send (often does) a list of certificate authorities (Chromium implementation calls it SSLCertRequestInfo), and only corresponding client certificates are to be accepted by the server.
Having that list allows to search for a required certificate in a certificate store (maybe in a hardware one) or even ask user to specify one manually with the UI (this is what many browsers, e.g. Chromium does). Current version of curl/libcurl (8.12.1) doesn't provide a functionality to retrieve the list of CAs specified by the server. When OpenSSL backend is used - there is one workaround: inside of the SSL Context callback (CURLOPT_SSL_CTX_FUNCTION) set the SSL info callback (SSL_CTX_set_info_callback) and wait for SSL_CB_HANDSHAKE_DONE at which point SSL_get_client_CA_list will return a list of CAs specified by the server (in case if server did specify one). After that one my find corresponding client certificate and set it to use, and the request has to be re-started, since certificate cannot be set after the SSL/TLS connection has started. Other backends doesn't seem to allow such even as a workaround. E.g. for schannel backend, there is SECPKG_ATTR_CLIENT_CERT_POLICY context attribute that may be used to retrieve a list of client CAs specified by the server. I haven't checked other backends, but I believe similar functionality/API should be present, as it is part of TLS protocol. As for curl/libcurl: would be great to have a callback function where the list of CAs specified by the server during the initial TLS handshake is provided, and a way to set selected client certifiacate from the context of that callback (or, maybe, in some other way). I totally understand this is a big chunk of work, but I failed to find any information about it which is specific to curl, so starting this conversation with a summary of my findings. -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
