Certificate info is printed only if peer verification succeeded #163
Comments
|
I will agree that it would be useful to allow this to get extracted even when the check fails. You feel like taking a shot at a patch for that? |
|
Yes, I think I do. Any tips or guidance for this particular spot? |
|
Not really, i can't recall the exact reason why it ended up in that place within the handshake but a first try would be to just change where the call is made to instead be done before the certificate check is made. |
|
Ok, thanks, Should I also add a command line option (--showCertChain ) to the tool? |
|
That'd be great! |
|
Unfortunately, OpenSSL does not keep certificate chain info when verification fails (see ssl3_get_server_certificate in openssl). So implementing this feature is impossible without changes to openssl |
|
Ok, but isn't it possible to extract it before it fails then? |
|
No. Certificate chain is kept inside openssl and and never assigned to anything visible from outside. |
|
If you set CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to 0 (like with --insecure) then you can still get the certs dumped without verification. So what if we for example just stored the failed verification status and didn't react on it until after the certinfo is extracted? |
|
Dead |
CURLINFO_CERTINFO force printing certificate chain information to output/debug function.
But it only works if peer verification succeeds, because it is implemented in servercert function, which is called from ossl_connect_step3.
This limitaion makes CURLINFO_CERTINFO much less useful, because certificate info is often used for certificate issues debugging
The text was updated successfully, but these errors were encountered: