2014-09-09 17:46:58 -04:00
|
|
|
Peer SSL Certificate Verification
|
|
|
|
=================================
|
2003-06-26 17:30:48 -04:00
|
|
|
|
2013-02-18 18:27:30 -05:00
|
|
|
(NOTE: If libcurl was built with Schannel or Secure Transport support, then
|
|
|
|
this does not apply to you. Scroll down for details on how the OS-native
|
|
|
|
engines handle SSL certificates. If you're not sure, then run "curl -V" and
|
|
|
|
read the results. If the version string says "WinSSL" in it, then it was built
|
|
|
|
with Schannel support.)
|
|
|
|
|
2008-02-18 06:35:12 -05:00
|
|
|
libcurl performs peer SSL certificate verification by default. This is done
|
|
|
|
by using CA cert bundle that the SSL library can use to make sure the peer's
|
|
|
|
server certificate is valid.
|
2002-11-11 17:37:59 -05:00
|
|
|
|
2004-08-09 03:02:51 -04:00
|
|
|
If you communicate with HTTPS or FTPS servers using certificates that are
|
|
|
|
signed by CAs present in the bundle, you can be sure that the remote server
|
|
|
|
really is the one it claims to be.
|
2002-11-11 17:37:59 -05:00
|
|
|
|
2008-02-18 06:35:12 -05:00
|
|
|
Until 7.18.0, curl bundled a severely outdated ca bundle file that was
|
|
|
|
installed by default. These days, the curl archives include no ca certs at
|
|
|
|
all. You need to get them elsewhere. See below for example.
|
|
|
|
|
|
|
|
If the remote server uses a self-signed certificate, if you don't install a CA
|
|
|
|
cert bundle, if the server uses a certificate signed by a CA that isn't
|
|
|
|
included in the bundle you use or if the remote host is an impostor
|
2004-06-29 09:16:30 -04:00
|
|
|
impersonating your favorite site, and you want to transfer files from this
|
2004-03-16 02:25:52 -05:00
|
|
|
server, do one of the following:
|
2002-11-11 17:37:59 -05:00
|
|
|
|
2008-02-08 16:04:24 -05:00
|
|
|
1. Tell libcurl to *not* verify the peer. With libcurl you disable this with
|
2014-09-09 17:46:58 -04:00
|
|
|
`curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);`
|
2002-11-11 17:37:59 -05:00
|
|
|
|
2004-06-29 03:58:52 -04:00
|
|
|
With the curl command line tool, you disable this with -k/--insecure.
|
2002-11-11 17:37:59 -05:00
|
|
|
|
|
|
|
2. Get a CA certificate that can verify the remote server and use the proper
|
|
|
|
option to point out this CA cert for verification when connecting. For
|
2014-09-09 17:46:58 -04:00
|
|
|
libcurl hackers: `curl_easy_setopt(curl, CURLOPT_CAPATH, capath);`
|
2002-11-11 17:37:59 -05:00
|
|
|
|
2004-06-29 03:58:52 -04:00
|
|
|
With the curl command line tool: --cacert [file]
|
2002-11-11 17:37:59 -05:00
|
|
|
|
2004-03-30 01:46:36 -05:00
|
|
|
3. Add the CA cert for your server to the existing default CA cert bundle.
|
2008-02-18 06:35:12 -05:00
|
|
|
The default path of the CA bundle used can be changed by running configure
|
|
|
|
with the --with-ca-bundle option pointing out the path of your choice.
|
2004-03-30 01:46:36 -05:00
|
|
|
|
2004-08-25 04:09:48 -04:00
|
|
|
To do this, you need to get the CA cert for your server in PEM format and
|
|
|
|
then append that to your CA cert bundle.
|
|
|
|
|
|
|
|
If you use Internet Explorer, this is one way to get extract the CA cert
|
|
|
|
for a particular server:
|
|
|
|
|
2014-09-09 17:46:58 -04:00
|
|
|
- View the certificate by double-clicking the padlock
|
|
|
|
- Find out where the CA certificate is kept (Certificate>
|
2004-08-25 04:09:48 -04:00
|
|
|
Authority Information Access>URL)
|
2014-09-09 17:46:58 -04:00
|
|
|
- Get a copy of the crt file using curl
|
|
|
|
- Convert it from crt to PEM using the openssl tool:
|
2004-08-25 04:09:48 -04:00
|
|
|
openssl x509 -inform DES -in yourdownloaded.crt \
|
|
|
|
-out outcert.pem -text
|
2014-09-09 17:46:58 -04:00
|
|
|
- Append the 'outcert.pem' to the CA cert bundle or use it stand-alone
|
2004-08-25 04:09:48 -04:00
|
|
|
as described below.
|
|
|
|
|
2004-09-12 14:27:12 -04:00
|
|
|
If you use the 'openssl' tool, this is one way to get extract the CA cert
|
|
|
|
for a particular server:
|
|
|
|
|
2014-09-09 17:46:58 -04:00
|
|
|
- `openssl s_client -connect xxxxx.com:443 |tee logfile`
|
|
|
|
- type "QUIT", followed by the "ENTER" key
|
|
|
|
- The certificate will have "BEGIN CERTIFICATE" and "END CERTIFICATE"
|
2004-09-12 14:27:12 -04:00
|
|
|
markers.
|
2014-09-09 17:46:58 -04:00
|
|
|
- If you want to see the data in the certificate, you can do: "openssl
|
2004-09-12 14:27:12 -04:00
|
|
|
x509 -inform PEM -in certfile -text -out certdata" where certfile is
|
|
|
|
the cert you extracted from logfile. Look in certdata.
|
2014-09-09 17:46:58 -04:00
|
|
|
- If you want to trust the certificate, you can append it to your
|
|
|
|
cert bundle or use it stand-alone as described. Just remember that the
|
2004-09-12 14:27:12 -04:00
|
|
|
security is no better than the way you obtained the certificate.
|
|
|
|
|
2004-08-25 04:09:48 -04:00
|
|
|
4. If you're using the curl command line tool, you can specify your own CA
|
2014-09-09 17:46:58 -04:00
|
|
|
cert path by setting the environment variable `CURL_CA_BUNDLE` to the path
|
2004-06-29 03:58:52 -04:00
|
|
|
of your choice.
|
|
|
|
|
2004-06-29 09:16:30 -04:00
|
|
|
If you're using the curl command line tool on Windows, curl will search
|
2004-06-29 03:58:52 -04:00
|
|
|
for a CA cert file named "curl-ca-bundle.crt" in these directories and in
|
|
|
|
this order:
|
|
|
|
1. application's directory
|
|
|
|
2. current working directory
|
|
|
|
3. Windows System directory (e.g. C:\windows\system32)
|
|
|
|
4. Windows Directory (e.g. C:\windows)
|
|
|
|
5. all directories along %PATH%
|
|
|
|
|
2004-08-25 04:09:48 -04:00
|
|
|
5. Get a better/different/newer CA cert bundle! One option is to extract the
|
2009-08-18 15:51:18 -04:00
|
|
|
one a recent Firefox browser uses by running 'make ca-bundle' in the curl
|
2008-02-08 06:18:23 -05:00
|
|
|
build tree root, or possibly download a version that was generated this
|
2014-09-09 17:46:58 -04:00
|
|
|
way for you: [CA Extract](http://curl.haxx.se/docs/caextract.html)
|
2004-08-09 03:02:51 -04:00
|
|
|
|
2004-06-29 09:16:30 -04:00
|
|
|
Neglecting to use one of the above methods when dealing with a server using a
|
|
|
|
certificate that isn't signed by one of the certificates in the installed CA
|
2003-01-23 01:15:26 -05:00
|
|
|
cert bundle, will cause SSL to report an error ("certificate verify failed")
|
|
|
|
during the handshake and SSL will then refuse further communication with that
|
|
|
|
server.
|
2009-09-21 19:00:12 -04:00
|
|
|
|
2014-09-09 17:46:58 -04:00
|
|
|
Peer SSL Certificate Verification with NSS
|
|
|
|
==========================================
|
2009-09-21 19:00:12 -04:00
|
|
|
|
2013-02-18 18:27:30 -05:00
|
|
|
If libcurl was built with NSS support, then depending on the OS distribution,
|
|
|
|
it is probably required to take some additional steps to use the system-wide CA
|
|
|
|
cert db. RedHat ships with an additional module, libnsspem.so, which enables
|
|
|
|
NSS to read the OpenSSL PEM CA bundle. This library is missing in OpenSuSE, and
|
|
|
|
without it, NSS can only work with its own internal formats. NSS also has a new
|
2014-09-09 17:46:58 -04:00
|
|
|
[database format](https://wiki.mozilla.org/NSS_Shared_DB).
|
2013-02-18 18:27:30 -05:00
|
|
|
|
2014-08-01 09:27:46 -04:00
|
|
|
Starting with version 7.19.7, libcurl automatically adds the 'sql:' prefix to
|
|
|
|
the certdb directory (either the hardcoded default /etc/pki/nssdb or the
|
|
|
|
directory configured with SSL_DIR environment variable). To check which certdb
|
|
|
|
format your distribution provides, examine the default certdb location:
|
|
|
|
/etc/pki/nssdb; the new certdb format can be identified by the filenames
|
|
|
|
cert9.db, key4.db, pkcs11.txt; filenames of older versions are cert8.db,
|
|
|
|
key3.db, secmod.db.
|
2009-09-21 19:00:12 -04:00
|
|
|
|
2014-09-09 17:46:58 -04:00
|
|
|
Peer SSL Certificate Verification with Schannel and Secure Transport
|
|
|
|
====================================================================
|
2013-02-18 18:27:30 -05:00
|
|
|
|
|
|
|
If libcurl was built with Schannel (Microsoft's TLS/SSL engine) or Secure
|
|
|
|
Transport (Apple's TLS/SSL engine) support, then libcurl will still perform
|
|
|
|
peer certificate verification, but instead of using a CA cert bundle, it will
|
|
|
|
use the certificates that are built into the OS. These are the same
|
|
|
|
certificates that appear in the Internet Options control panel (under Windows)
|
|
|
|
or Keychain Access application (under OS X). Any custom security rules for
|
|
|
|
certificates will be honored.
|
|
|
|
|
|
|
|
Schannel will run CRL checks on certificates unless peer verification is
|
|
|
|
disabled. Secure Transport on iOS will run OCSP checks on certificates unless
|
|
|
|
peer verification is disabled. Secure Transport on OS X will run either OCSP
|
|
|
|
or CRL checks on certificates if those features are enabled, and this behavior
|
|
|
|
can be adjusted in the preferences of Keychain Access.
|