Can a curl client be instructed to ONLY validate the certificate of the server when establishing a TLS connection?

[HakanSunay]

Hi,

If I have the certificate of a remote server (no chain), that I am trying to connect to, beforehand, is it possible to instruct curl to use that when establishing trust? The --cacert option does not seem to fulfill this use-case exactly, since there is no guarantee that this cert is the CA (or it could've been signed by a private CA).

I may have found a non-straightforward way to achieve this, but not sure if it is safe/secure. I am using a combination of -k and --pinnedpubkey:

$ cat cert.pem
-----BEGIN CERTIFICATE-----
MIIFMzCCA5ugAwIBAgIJAP/HezFgwCWcMA0GCSqGSIb3DQEBCwUAMIGnMQswCQYD
....................
W8JwtgdrpB+eWxgOvajJlS1C70L/GyeU1iUg3x8j4D/eqnQx1Vrk
-----END CERTIFICATE-----

$ openssl x509 -pubkey -noout -in cert.pem > pubkey.pem
$ curl -k --pinnedpubkey pubkey.pem https://remote-corp.com:443

Does this mean that the peer verification is skipped, but pubkey is asserted and the transfer is still done in a secure encrypted manner?

[HakanSunay]

I was able to find a similar thread for replacing peer verification with public key pinning:

#2935 (comment)

Yet, the first question for verifying the certificate (once again, not the chain of certs, but only a single cert) of the remote still remains - be it signed by a private CA or self-signed (not sure if all self-signed certs are considered CA certs).

[jay]

Public key pinning verifies the server certificate's public key. It will verify even if the traditional peer verification is turned off. I've proposed #11930 to explain.