堆栈内存溢出
  简体   繁体   English

使用 libcurl 进行自定义 SSL 证书验证

[英]Custom SSL certificate validation with libcurl

 原文  2020-07-10 16:35:18       c/ ssl/ curl/ libcurl

问题描述

I need libcurl to accept self-signed certs but I don't want them to be blindly accepted.我需要 libcurl 来接受自签名证书,但我不希望它们被盲目接受。 I need to be able to verify the certificates are the expected self-signed certs before allowing the connection to proceed.在允许连接继续之前,我需要能够验证证书是预期的自签名证书。

In .NET this is done by setting a RemoteCertificateValidationCallback with the SslStream or HttpWebRequest.在 .NET 中,这是通过使用 SslStream 或 HttpWebRequest 设置 RemoteCertificateValidationCallback 来完成的。 The callback provides the certificates and a check can be made to verify the details are expected.回调提供证书,并且可以进行检查以验证预期的详细信息。 In case you are wondering, I have a secure method of distributing the cert details to the agents that need them.如果您想知道,我有一种将证书详细信息分发给需要它们的代理的安全方法。

With libcurl, the closest thing to a SSL callback is CURLOPT_SSL_CTX_FUNCTION however the docs state:使用 libcurl,最接近 SSL 回调的是 CURLOPT_SSL_CTX_FUNCTION 但是文档 state:

This callback function gets called by libcurl just before the initialization of an SSL connection after having processed all other SSL related options to give a last chance to an application to modify the behavior of the SSL initialization. This callback function gets called by libcurl just before the initialization of an SSL connection after having processed all other SSL related options to give a last chance to an application to modify the behavior of the SSL initialization.

That means that the callback is called before the actual SSL connection is made which means the certificates have not been received yet to verify.这意味着在建立实际的 SSL 连接之前调用回调,这意味着尚未收到证书以进行验证。 Unless I'm misunderstanding what I can do in that callback, is there a way to do my own SSL verification with libcurl?除非我误解了我可以在那个回调中做什么,有没有办法用 libcurl 做我自己的 SSL 验证?

1 个解决方案

解决方案1
 0 已采纳  2020-12-07 23:13:02

@0xdeadbeef You can use SSL callback. @0xdeadbeef 您可以使用 SSL 回调。 In that, you will receive SSL_CTX*.这样,您将收到 SSL_CTX*。 Use this pointer to change the default 'verify' function and point it to your own 'verify' method.使用此指针更改默认的“验证”function 并将其指向您自己的“验证”方法。 You need to use SSL_CTX_set_verify.您需要使用 SSL_CTX_set_verify。 ['https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_verify.html'] ['https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_verify.html']

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 为libcurl添加自签名SSL证书 - Adding self-signed SSL certificate for libcurl 使用libcurl和SSL进行对等验证 - Peer verifying with libcurl and SSL 使用openssl下载证书并将证书设置为libCURL - Download certificate using openssl and setting certificate to libCURL libcurl的嵌入式证书,而不是使用外部捆绑软件? - Inline certificate for libcurl instead of using an external bundle? SSL CA证书-LibCurl C语言(Linux) - SSL CA Certificates - LibCurl C Language (Linux) 带有 SSL 和连接缓存的 libcurl 长轮询 - libcurl long poll with SSL and connection cache SSL证书问题C - SSL certificate issue C 如何使用mbedtls在libcurl中将PEM证书和私钥一起加载 - How to load PEM certificate together with private key in libcurl using mbedtls valgrind在使用libcurl时检测到内存泄漏(没有ssl) - valgrind detects memory leaks when using libcurl (no ssl) 无法验证服务器SSL证书 - Can not validate the server SSL certificate
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM