On 12/23/2025 6:53 PM, dogma via curl-library wrote:
Does CURLINFO_CERTINFO always provide the chain of certificates if it
happens to be exposed by the backend, or is it more haphazard than that?
If a transfer fails, I print the chain if it’s provided, but for example
I just had one that failed because the certificate has expired. No
chain. This is with OpenSSL.
I think historically it wasn't provided unless the transfer was
successful, the backend supported it and CURLOPT_CERTINFO [1] was
enabled for the transfer. However I just tested curl master branch [2]
with OpenSSL and retrieving CERTINFO worked for a failed transfer. I
tested against a URL (https://cdn.gigya.com) that serves a certificate
with no matching hostname ("no alternative certificate subject name
matches") so the transfer fails. I tested against some other URLs with
different types of cert problems as well as expired certificates and I
still got certinfo.
curl 8.18.0-DEV (i386-pc-win32) libcurl/8.18.0-DEV OpenSSL/3.0.8
nghttp2/1.52.0 WinLDAP
// from certinfo.c example, show certinfo
union {
struct curl_slist *to_info;
struct curl_certinfo *to_certinfo;
} ptr;
ptr.to_info = NULL;
if(!curl_easy_getinfo(curl, CURLINFO_CERTINFO, &ptr.to_info) &&
ptr.to_info) {
int i;
printf("%d certs!\n", ptr.to_certinfo->num_of_certs);
for(i = 0; i < ptr.to_certinfo->num_of_certs; i++) {
struct curl_slist *slist;
for(slist = ptr.to_certinfo->certinfo[i]; slist; slist = slist->next)
printf("%s\n", slist->data);
}
}
[1]: https://curl.se/libcurl/c/CURLOPT_CERTINFO.html
[2]: https://github.com/curl/curl
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
