Certificate Verification

cmake/Modules/Packages/KIM.cmake

@@ -5,6 +5,16 @@ if(PKG_KIM)
     include_directories(${CURL_INCLUDE_DIRS})
     list(APPEND LAMMPS_LINK_LIBS ${CURL_LIBRARIES})
     add_definitions(-DLMP_KIM_CURL)
+    set(LMP_DEBUG_CURL OFF CACHE STRING "Set libcurl verbose mode on/off. If on, it displays a lot of verbose information about its operations.")
+    mark_as_advanced(LMP_DEBUG_CURL)
+    if(LMP_DEBUG_CURL)
+      add_definitions(-DLMP_DEBUG_CURL)
+    endif()
+    set(LMP_NO_SSL_CHECK OFF CACHE STRING "Tell libcurl to not verify the peer. If on, the connection succeeds regardless of the names in the certificate. Insecure - Use with caution!")
+    mark_as_advanced(LMP_NO_SSL_CHECK)
+    if(LMP_NO_SSL_CHECK)
+      add_definitions(-DLMP_NO_SSL_CHECK)
+    endif()
   endif()
   find_package(KIM-API QUIET)
   if(KIM-API_FOUND)

doc/src/Build_extras.rst

@@ -195,12 +195,32 @@ minutes to hours) to build.  Of course you only need to do that once.)
 .. parsed-literal::
 
    -D DOWNLOAD_KIM=value           # download OpenKIM API v2 for build, value = no (default) or yes
+   -D LMP_DEBUG_CURL=value         # set libcurl verbose mode on/off, value = off (default) or on
+   -D LMP_NO_SSL_CHECK=value       # tell libcurl to not verify the peer, value = no (default) or yes
 
 If DOWNLOAD\_KIM is set, the KIM library will be downloaded and built
 inside the CMake build directory.  If the KIM library is already on
 your system (in a location CMake cannot find it), set the PKG\_CONFIG\_PATH
 environment variable so that libkim-api can be found.
 
+For using KIM web queries.
+
+If LMP\_DEBUG\_CURL is set, the libcurl verbose mode will be on, and any
+libcurl calls within the KIM web query display a lot of information about
+libcurl operations. You hardly ever want this set in production use, you will
+almost always want this when you debug/report problems.
+
+The libcurl performs peer SSL certificate verification by default. This
+verification is done using a CA certificate store that the SSL library can
+use to make sure the peer's server certificate is valid. If SSL reports an
+error ("certificate verify failed") during the handshake and thus refuses
+further communication with that server, you can set LMP\_NO\_SSL\_CHECK.
+If LMP\_NO\_SSL\_CHECK is set, libcurl does not verify the peer and connection
+succeeds regardless of the names in the certificate. This option is insecure.
+As an alternative, you can specify your own CA cert path by setting the
+environment variable CURL\_CA\_BUNDLE to the path of your choice. A call to the
+KIM web query would get this value from the environmental variable.
+
 **Traditional make**\ :
 
 You can download and build the KIM library manually if you prefer;

doc/txt/Build_extras.txt

@@ -186,13 +186,34 @@ minutes to hours) to build.  Of course you only need to do that once.)
 
 [CMake build]:
 
--D DOWNLOAD_KIM=value           # download OpenKIM API v2 for build, value = no (default) or yes :pre
+-D DOWNLOAD_KIM=value           # download OpenKIM API v2 for build, value = no (default) or yes
+-D LMP_DEBUG_CURL=value         # set libcurl verbose mode on/off, value = off (default) or on
+-D LMP_NO_SSL_CHECK=value       # tell libcurl to not verify the peer, value = no (default) or yes
+:pre
 
 If DOWNLOAD_KIM is set, the KIM library will be downloaded and built
 inside the CMake build directory.  If the KIM library is already on
 your system (in a location CMake cannot find it), set the PKG_CONFIG_PATH
 environment variable so that libkim-api can be found.
 
+For using OpenKIM web queries in LAMMPS.
+
+If LMP_DEBUG_CURL is set, the libcurl verbose mode will be on, and any
+libcurl calls within the KIM web query display a lot of information about
+libcurl operations. You hardly ever want this set in production use, you will
+almost always want this when you debug/report problems.
+
+The libcurl performs peer SSL certificate verification by default. This
+verification is done using a CA certificate store that the SSL library can
+use to make sure the peer's server certificate is valid. If SSL reports an
+error ("certificate verify failed") during the handshake and thus refuses
+further communication with that server, you can set LMP_NO_SSL_CHECK.
+If LMP_NO_SSL_CHECK is set, libcurl does not verify the peer and connection
+succeeds regardless of the names in the certificate. This option is insecure.
+As an alternative, you can specify your own CA cert path by setting the
+environment variable CURL_CA_BUNDLE to the path of your choice. A call to the
+KIM web query would get this value from the environmental variable.
+
 [Traditional make]:
 
 You can download and build the KIM library manually if you prefer;

src/KIM/kim_query.cpp

@@ -72,6 +72,7 @@
 #if defined(LMP_KIM_CURL)
 #include <sys/types.h>
 #include <curl/curl.h>
+#include <cstdlib>
 #endif
 
 using namespace LAMMPS_NS;
@@ -257,11 +258,25 @@ char *do_query(char *qfunction, char * model_name, int narg, char **arg,
       curl_easy_setopt(handle, CURLOPT_VERBOSE, 1L);
 #endif
 
-#if defined(LMP_NO_SSL_CHECK)
-      // disable verifying SSL certificate and host name
+#if LMP_NO_SSL_CHECK
+      // Certificate Verification
+      // by telling libcurl to not verify the peer.
+      // Disable verifying SSL certificate and host name. Insecure.
       curl_easy_setopt(handle, CURLOPT_SSL_VERIFYPEER, 0L);
       curl_easy_setopt(handle, CURLOPT_SSL_VERIFYHOST, 0L);
 #endif
+
+      {
+        char *env_c = std::getenv("CURL_CA_BUNDLE");
+        if (env_c)
+        {
+          // Certificate Verification
+          // by specifying your own CA cert path. Set the environment variable
+          // CURL_CA_BUNDLE to the path of your choice.
+          curl_easy_setopt(handle, CURLOPT_CAINFO, env_c);
+        }
+      }
+
       std::string user_agent = std::string("kim_query--LAMMPS/")
                                + LAMMPS_VERSION
                                + " (" + Info::get_os_info() + ")";