HTTPS/LibCurlSSL

BlitzMax Forums/Brucey's Modules/HTTPS/LibCurlSSL

BlitzSupport

(Posted 2013) [#1]

Hi Brucey,

You posted some code for accessing HTTPS sites a while back (link below), but I couldn't get it to work -- any site I tried resulted in an error message "Peer certificate cannot be authenticated with given CA certificates":

http://www.blitzbasic.com/Community/posts.php?topic=101247

Any idea what the problem might be? I'm not really very clued-in on the certificate stuff...

This was the code:

Framework BaH.libcurlssl
Import BRL.StandardIO
Import BRL.FileSystem

Local curl:TCurlEasy = TCurlEasy.Create()

curl.setWriteString()
curl.setOptInt(CURLOPT_FOLLOWLOCATION, 1)

curl.setOptString(CURLOPT_URL, "https://some.web.page.com")

Local res:Int = curl.perform()

If res Then
	Print CurlError(res)
	End
End If

curl.cleanup()

Print curl.toString()

Brucey

(Posted 2013) [#2]

On OS X and Linux (at least when I tried it myself), the system appears to be able to handle the certification itself.

But for all platforms, you can use a certification bundle, which is basically a list of up-to-date valid certificates. If you add this line (or something similar pointing to a valid file) :

curl.setOptString(CURLOPT_CAINFO, "../certificates/cacert.pem")

it will attempt to read the bundle and use that to certify the website during the connection process.

You should see something like this in the log :

...
* Connected to www.google.co.uk (173.194.41.191) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: ../certificates/cacert.pem
  CApath: none
* SSL connection using RC4-SHA
* Server certificate:
...

Example 08 should work in this way now.

I've also just updated the certificate in SVN to the latest (as per the one available from here )

BlitzSupport

(Posted 2013) [#3]

Ah, works perfect, many thanks Brucey!

I thought it somehow got compiled into the static library (for some reason) but it looks like you can just distribute the .pem with your program and either comply with the GPL/LGPL if open-source, or LGPL/MPL if distributing standalone alongside a closed-source application. (Tried Incbin'ing it, which MPL would seem to allow, but CURL then can't locate it since it wants a 'real' path... just noting for anyone else who stumbles across this.)

Thanks again, nice to know this functionality is available to us.

Working example (tested on Windows) for anyone else -- all credit to Brucey -- place "cacert.pem" from http://curl.haxx.se/docs/caextract.html into the same folder as the source/final executable and make sure to comply with one of the above licences if distributing, MPL being the least restrictive:


' Licensing for cacert.pem from <a href="http://curl.haxx.se/docs/caextract.html" target="_blank">http://curl.haxx.se/docs/caextract.html</a> :

' This new file is only a converted version of the original one and thus
' it is licensed under the same licenses as the Mozilla source file:
' MPL 1.1, GPL v2.0 or LGPL 2.1

' <a href="http://www.mozilla.org/MPL/2.0/FAQ.html" target="_blank">http://www.mozilla.org/MPL/2.0/FAQ.html</a>

Framework BaH.libcurlssl
Import BRL.StandardIO
Import BRL.FileSystem

Local curl:TCurlEasy = TCurlEasy.Create()

curl.setWriteString()
curl.setOptInt(CURLOPT_FOLLOWLOCATION, 1)

curl.setOptString(CURLOPT_CAINFO, "cacert.pem")

curl.setOptString(CURLOPT_URL, "https://www.google.co.uk/")

Local res:Int = curl.perform()

If res Then
	Print CurlError(res)
	End
End If

curl.cleanup()

Print curl.toString()

Grisu

(Posted 2013) [#4]

@Bruce: Is the "BaH.Libcurl" mod also affected by the update?

Brucey

(Posted 2013) [#5]

No, as it doesn't use SSL ;-)

Grisu

(Posted 2013) [#6]

Phew.. saved for now. :)