On 2/19/2025 11:21 AM, Ihor Dutchak via curl-library wrote:
As per scenarios when mTLS is used (e.g. server requires client
certificate to be specified), as part of TLS protocol server may send
(often does) a list of certificate authorities (Chromium
implementation calls it SSLCertRequestInfo), and only corresponding
client certificates are to be accepted by the server.
Having that list allows to search for a required certificate in a
certificate store (maybe in a hardware one) or even ask user to
specify one manually with the UI (this is what many browsers, e.g.
Chromium does).
Current version of curl/libcurl (8.12.1) doesn't provide a
functionality to retrieve the list of CAs specified by the server.
When OpenSSL backend is used - there is one workaround: inside of the
SSL Context callback (CURLOPT_SSL_CTX_FUNCTION) set the SSL info
callback (SSL_CTX_set_info_callback) and wait for
SSL_CB_HANDSHAKE_DONE at which point SSL_get_client_CA_list will
return a list of CAs specified by the server (in case if server did
specify one).
After that one my find corresponding client certificate and set it to
use, and the request has to be re-started, since certificate cannot be
set after the SSL/TLS connection has started.
Other backends doesn't seem to allow such even as a workaround.
E.g. for schannel backend, there is SECPKG_ATTR_CLIENT_CERT_POLICY
context attribute that may be used to retrieve a list of client CAs
specified by the server.
Does the option to auto select a client certificate with Schannel work
for your case?
curl: --ssl-auto-client-cert [1]
libcurl: CURLSSLOPT_AUTO_CLIENT_CERT [2]
[1]: https://curl.se/docs/manpage.html#--ssl-auto-client-cert
[2]:
https://curl.se/libcurl/c/CURLOPT_SSL_OPTIONS.html#CURLSSLOPTAUTOCLIENTCERT
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
