From 93e450793ce289925dfd1d5e3b2d14e781f8dfd4 Mon Sep 17 00:00:00 2001 From: moparisthebest Date: Tue, 30 Sep 2014 22:31:17 -0400 Subject: SSL: implement public key pinning Option --pinnedpubkey takes a path to a public key in DER format and only connect if it matches (currently only implemented with OpenSSL). Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt(). Extract a public RSA key from a website like so: openssl s_client -connect google.com:443 2>&1 < /dev/null | \ sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \ | openssl rsa -pubin -outform DER > google.com.der --- docs/curl.1 | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'docs/curl.1') diff --git a/docs/curl.1 b/docs/curl.1 index 4d97227af..90b284288 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -530,6 +530,19 @@ OpenSSL-powered curl to make SSL-connections much more efficiently than using If this option is set, the default capath value will be ignored, and if it is used several times, the last one will be used. +.IP "--pinnedpubkey " +(SSL) Tells curl to use the specified public key file to verify the peer. The +file must contain a single public key in DER format. + +When negotiating a TLS or SSL connection, the server sends a certificate +indicating its identity. A public key is extracted from this certificate +and if it does not exactly match the public key provided to this option, +curl will abort the connection before sending or receiving any data. + +This is currently only implemented in the OpenSSL backend, with more backends +expected to follow shortly. + +If this option is used several times, the last one will be used. .IP "-f, --fail" (HTTP) Fail silently (no output at all) on server errors. This is mostly done to better enable scripts etc to better deal with failed attempts. In @@ -2180,6 +2193,8 @@ unable to parse FTP file list FTP chunk callback reported error .IP 89 No connection available, the session will be queued +.IP 90 +SSL public key does not matched pinned public key .IP XX More error codes will appear here in future releases. The existing ones are meant to never change. -- cgit v1.2.3