Inline certificate for libcurl instead of using an external bundle?

Question

I am using libcurl for a small c application. The project uses https and requires a validation of both, server and client certificates. I cannot use an option to suppress the verification, since I work in an insecure environment.

I am currently trying to get the server side certificate validated. First attempts gave me an expected error:

Peer certificate cannot be authenticated with given CA certificates

As said an expected error, I understand what the message means. I dug into the documentation of libcurl and found that it supports "certificate bundles", and that younger versions do not come with a bundle all. All options I found (and also all explanations) refer to certificate files read at runtime and obviously suggest to include the required CA certificate in the local bundle.

Instead I would prefer to include a single certificate inline into the application, so compiled in. This does make sense for this special case, since the application only tries to access a single, hard coded url, so server. I accept that I'd have to replace all deployed copies of the application if the server certificate gets changed. However I do not find any options for that in the documentation. I would prefer this strategy, since it allows a much more compact deployment of the application: a single file instead of a structure and runtime configuration.

So my question is: does libcurl offer to include a CA certificate at compile time which can be used at runtime without having to rely on an external bundle?

Answer 1

In libcurl the part that verifies certificates is handled by openssl. You could use SSL_CTX_use_certificate to install your certificate at runtime or use SSL_CTX_set_verify to overwrite the SSL verification function with your own.

Check curlx.c for an example.