2002-11-11 17:41:45 -05:00
|
|
|
Peer SSL Certificate Verification
|
|
|
|
=================================
|
2003-06-26 17:30:48 -04:00
|
|
|
|
2004-08-09 03:02:51 -04:00
|
|
|
libcurl performs peer SSL certificate verification by default. This is done by
|
|
|
|
installing a default CA cert bundle on 'make install' (or similar), that CA
|
|
|
|
bundle package is used by default on operations against SSL servers.
|
2002-11-11 17:37:59 -05:00
|
|
|
|
2004-08-09 03:02:51 -04:00
|
|
|
If you communicate with HTTPS or FTPS servers using certificates that are
|
|
|
|
signed by CAs present in the bundle, you can be sure that the remote server
|
|
|
|
really is the one it claims to be.
|
2002-11-11 17:37:59 -05:00
|
|
|
|
2004-03-16 02:25:52 -05:00
|
|
|
If the remote server uses a self-signed certificate, if you don't install
|
|
|
|
curl's CA cert bundle, if the server uses a certificate signed by a CA that
|
2004-06-29 09:16:30 -04:00
|
|
|
isn't included in the bundle or if the remote host is an impostor
|
|
|
|
impersonating your favorite site, and you want to transfer files from this
|
2004-03-16 02:25:52 -05:00
|
|
|
server, do one of the following:
|
2002-11-11 17:37:59 -05:00
|
|
|
|
|
|
|
1. Tell libcurl to *not* verify the peer. With libcurl you disable with with
|
|
|
|
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
|
|
|
|
|
2004-06-29 03:58:52 -04:00
|
|
|
With the curl command line tool, you disable this with -k/--insecure.
|
2002-11-11 17:37:59 -05:00
|
|
|
|
|
|
|
2. Get a CA certificate that can verify the remote server and use the proper
|
|
|
|
option to point out this CA cert for verification when connecting. For
|
|
|
|
libcurl hackers: curl_easy_setopt(curl, CURLOPT_CAPATH, capath);
|
|
|
|
|
2004-06-29 03:58:52 -04:00
|
|
|
With the curl command line tool: --cacert [file]
|
2002-11-11 17:37:59 -05:00
|
|
|
|
2004-03-30 01:46:36 -05:00
|
|
|
3. Add the CA cert for your server to the existing default CA cert bundle.
|
|
|
|
The default path of the CA bundle installed with the curl package is:
|
|
|
|
/usr/local/share/curl/curl-ca-bundle.crt, which can be changed by running
|
|
|
|
configure with the --with-ca-bundle option pointing out the path of your
|
|
|
|
choice.
|
|
|
|
|
2004-06-29 03:58:52 -04:00
|
|
|
If you're using the curl command line tool, you can specify your own CA
|
|
|
|
cert path by setting the environment variable CURL_CA_BUNDLE to the path
|
|
|
|
of your choice.
|
|
|
|
|
2004-06-29 09:16:30 -04:00
|
|
|
If you're using the curl command line tool on Windows, curl will search
|
2004-06-29 03:58:52 -04:00
|
|
|
for a CA cert file named "curl-ca-bundle.crt" in these directories and in
|
|
|
|
this order:
|
|
|
|
1. application's directory
|
|
|
|
2. current working directory
|
|
|
|
3. Windows System directory (e.g. C:\windows\system32)
|
|
|
|
4. Windows Directory (e.g. C:\windows)
|
|
|
|
5. all directories along %PATH%
|
|
|
|
|
2004-08-09 03:02:51 -04:00
|
|
|
4. Get a better/different/newer CA cert bundle! One option is to extract the
|
|
|
|
one a recent Mozilla browser uses, by following the instruction found
|
|
|
|
here:
|
|
|
|
|
|
|
|
http://curl.haxx.se/docs/caextract.html
|
|
|
|
|
2004-06-29 09:16:30 -04:00
|
|
|
Neglecting to use one of the above methods when dealing with a server using a
|
|
|
|
certificate that isn't signed by one of the certificates in the installed CA
|
2003-01-23 01:15:26 -05:00
|
|
|
cert bundle, will cause SSL to report an error ("certificate verify failed")
|
|
|
|
during the handshake and SSL will then refuse further communication with that
|
|
|
|
server.
|
|
|
|
|
|
|
|
This procedure has been deemed The Right Thing even though it adds this extra
|
|
|
|
trouble for some users, since it adds security to a majority of the SSL
|
|
|
|
connections that previously weren't really secure. It turned out many people
|
|
|
|
were using previous versions of curl/libcurl without realizing the need for
|
|
|
|
the CA cert options to get truly secure SSL connections.
|