2002-11-12 06:41:45 +08:00
|
|
|
Peer SSL Certificate Verification
|
|
|
|
=================================
|
2003-06-27 05:30:48 +08:00
|
|
|
|
2002-11-12 06:41:45 +08:00
|
|
|
Starting in 7.10, libcurl performs peer SSL certificate verification by
|
|
|
|
default. This is done by installing a default CA cert bundle on 'make install'
|
|
|
|
(or similar), that CA bundle package is used by default on operations against
|
|
|
|
SSL servers.
|
2002-11-12 06:37:59 +08:00
|
|
|
|
2003-01-23 14:09:35 +08:00
|
|
|
Alas, if you communicate with HTTPS servers using certificates that are signed
|
2002-11-12 06:37:59 +08:00
|
|
|
by CAs present in the bundle, you will not notice any changed behavior and you
|
2003-02-08 22:36:18 +08:00
|
|
|
will seamlessly get a higher security level on your SSL connections since you
|
|
|
|
can be sure that the remote server really is the one it claims to be.
|
2002-11-12 06:37:59 +08:00
|
|
|
|
|
|
|
If the remote server uses a self-signed certificate, or if you don't install
|
|
|
|
curl's CA cert bundle or if it uses a certificate signed by a CA that isn't
|
|
|
|
included in the bundle, then you need to do one of the following:
|
|
|
|
|
|
|
|
1. Tell libcurl to *not* verify the peer. With libcurl you disable with with
|
|
|
|
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
|
|
|
|
|
|
|
|
With the curl command tool, you disable this with -k/--insecure.
|
|
|
|
|
|
|
|
2. Get a CA certificate that can verify the remote server and use the proper
|
|
|
|
option to point out this CA cert for verification when connecting. For
|
|
|
|
libcurl hackers: curl_easy_setopt(curl, CURLOPT_CAPATH, capath);
|
|
|
|
|
|
|
|
With the curl command tool: --cacert [file]
|
|
|
|
|
2003-01-23 14:15:26 +08:00
|
|
|
Neglecting to use one of the above menthods when dealing with a server using a
|
|
|
|
certficate that isn't signed by one of the certficates in the installed CA
|
|
|
|
cert bundle, will cause SSL to report an error ("certificate verify failed")
|
|
|
|
during the handshake and SSL will then refuse further communication with that
|
|
|
|
server.
|
|
|
|
|
|
|
|
This procedure has been deemed The Right Thing even though it adds this extra
|
|
|
|
trouble for some users, since it adds security to a majority of the SSL
|
|
|
|
connections that previously weren't really secure. It turned out many people
|
|
|
|
were using previous versions of curl/libcurl without realizing the need for
|
|
|
|
the CA cert options to get truly secure SSL connections.
|