When using security sensitive applications (e.g. for accessing the Mozilla Persona verifier), it is often useful to do SSL certificate pinning instead of trusting into the x509 CA system.
It would be nice when curl has an API supporting certificate pinning. This API should be reliable, easy to use and should be working across all the SSL backends ;) Unfortunately, this is not the case with the current library. E.g. CURLOPT_CERTINFO + CURLOPT_SSL_CTX_FUNCTION is supported with OpenSSL only, passing the certificate instead of the chain in CURLOPT_CAINFO works with OpenSSL only too.
For certificate pinning, an easy access to the certificate fingerprint would be ideal. E.g. a CURLOPT_CERTFP option could be added which returns the fingerprint in CURLINFO_CERTFP. Type of hash could be either selected by the value of CURLOPT_CERTFP or by providing multiple CURLINFO_CERTFP_<hash> results. atm, I would prefer the first method.
Alternatively, the whole certificate could be returned by CURLOPT_CERTIFICATE and CURLINFO_CERTIFICATE_DER/PEM options.
Log in to post a comment.