Using Curl,libcurl to access HTTPS

Compiling Curl,libcurl

Download the curl source (git clone https://github.com/curl/curl) in the directory curl\winbuild\build. The WINDOWS.txt file details the commands for compiling Windows curl and Libcurl libraries using NMAKE, excerpt from the following:

nmake/f makefile.vc mode=<static or dll> <options>Where <options> is one or many of:vc=<6,7,8,9,10,11,12,14>-VC versions with_devel=<path>                                 -Paths for the development files (SSL, zlib, etc.) Defaults to sibbling directory Deps:..                                 /deps Libraries can be fetched at http://windows.php.net/downloads/php-sdk/deps/  Uncompress them into the Deps folder. With_ssl=<dll or static>-enable OpenSSL support, DLL or static with_mbedtls=<dll or static>-enable MB  EDTLS support, DLL or static with_cares=<dll or static>-Enable c-ares support, dll or static With_zlib=<dll or static>-enable zlib support, DLL or static with_ssh2=<dll or static>-enable libSSH2 support, DLL o R static Enable_sspi=<yes or no>-ENABLE SSPI support, defaults to Yes Enable_ipv6=<yes or no>- Enable IPV6, defaults to Yes Enable_idn=<yes or no>-enable useof Windows IDN APIs, defaults to Yes Requires Windows Vista or later, or installation from : Https://www.microsoft.com/downloads/details.aspx? familyid=ad6158d7-ddba-416a-9109-07607425a815 Enable_winssl=<yes or no>-ENABLE native Windows SSL support, Def Aults to Yes Gen_pdb=<yes or no> – Generate program Database (debug symbols for release build) debug=< Yes or no>-Debug builds machine=<x86 or x64>-Target architecture (default is x86)

The compiler command shows that there are two main SSL modes for compiling curl, the default is Windows-based Winssl compilation, and the other is based on the OpenSSL encryption library.

First, Curl+winssl

Command:

nmake/f MAKEFILE.VC Mode=dll vc=10

By default, the use of SSPI, IDN, Winssl and other technologies, compiled using the Windows system comes with the CA digital certificate file, SSL encryption library Winssl (Schannel and Secure Transport), this method has many advantages, First, because of the use of Windows Encryption library, no cross-platform and other considerations, performance is naturally optimal; second, there is no need to introduce a third-party repository OpenSSL, or to display the installation of the HTTPS CA digital certificate file or to package the root certificate into the software. But the disadvantage is also obvious, because Windows has a lot of system versions, different versions of SSL have a big difference, the earlier Windows SSL security is not so high, the most serious problem is that Windows XP and other systems in the domestic user volume is still very large, and windows XP does not support SNI technology, and if the server uses SNI technology, and multiple certificates are configured for the same domain name, it is possible to return a certificate error and cause HTTPS access to fail. Sni:server name indication, because of the emergence of Virtual server technology, is to allow the same server to lay out multiple domain names, when the HTTPS request is initiated, the requested domain name is added to the HTTPS request header, the service side received the request, The corresponding root certificate is returned based on the domain name in the request header.

Second, Curl+openssl

Command:

nmake/f makefile.vc mode=dll vc=10 with_devel=opensll compiling directory Enable_sspi=no enable_winssl=no

This kind of compiling method, first must download OpenSSL source code or already compiles the OpenSSL library, puts in the specified directory and sets to the parameter With_devel parameter, the concrete compilation method may refer to the http://www.cnblogs.com/openiris/p/3812443.html.

Based on the OpenSSL compiled curl and Libcurl, one of the major advantages is the use of newer SSL encryption algorithm, high security, and do not need to consider different operating system SSL libraries caused by different problems, the disadvantage is the need to introduce the OpenSSL library separately, You need to manually export the root certificate from Mozilla, compile it into OpenSSL or package it into the software and display the settings load in curl. Curl Official website provides CA digital certificate file download, address is HTTPS://CURL.HAXX.SE/CA/CACERT.PEM, update address is https://curl.haxx.se/docs/caextract.html.

Remotely update the CA Digital certificate command (the certificate has changed before it is downloaded):

Curl--remote-name--time-cond Cacert.pem Https://curl.haxx.se/ca/cacert.pem

CURL HTTPS parameter meaning

First, Curl_verify_peer

This parameter means verifying the legality of the HTTPS request object by decrypting the certificate returned by the server with a CA digital certificate issued by a third-party certificate authority to verify its legitimacy. The CA digital certificate can be compiled at compile time, or the root certificate can be set through parameter Curlopt_cainfo or Curlopt_capath. The default value is 1.

Second, Curl_verify_host

This parameter is primarily used for HTTPS requests when the certificate returned is consistent with the requested domain name and avoids tampering with the certificate file. The default value is 2.

Curl accesses HTTPS samples based on Winssl and OpenSSL

One, ignore certificate validation

If you do not want to verify the security of peer and host, you can set

0L0L);

Second, HTTPS Curl example

Winssl:

intPosts (ConstSTD::string& strURL,ConstSTD::string& Strpost, std::string& Strresponse, std::string&strerrorbuf,Const Char*Pcapath)      {Curlcode res; CURL* Curl =Curl_easy_init (); CharErrbuf[curl_error_size]; if(NULL = =Curl) {          returnCurle_failed_init; }      if(m_bdebug) {curl_easy_setopt (curl, Curlopt_verbose,1);      Curl_easy_setopt (Curl, curlopt_debugfunction, ondebug);      } curl_easy_setopt (Curl, Curlopt_url, strurl.c_str ()); /*provide a buffer to store errors in*/curl_easy_setopt (Curl, Curlopt_errorbuffer, errbuf); Curl_easy_setopt (Curl, Curlopt_post,1);      Curl_easy_setopt (Curl, Curlopt_postfields, strpost.c_str ());      Curl_easy_setopt (Curl, curlopt_readfunction, NULL);      Curl_easy_setopt (Curl, curlopt_writefunction, onwritedata); Curl_easy_setopt (Curl, Curlopt_writedata, (void*) &strresponse); Curl_easy_setopt (Curl, curlopt_nosignal,1); curl_easy_setopt (Curl, Curlopt_ssl_verifypeer,  1L); Curl_easy_setopt (Curl, Curlopt_ssl_verifyhost,  2L );      Curl_easy_setopt (Curl, curlopt_connecttimeout, time_out_num);      Curl_easy_setopt (Curl, curlopt_timeout, time_out_num); /*set the error buffer as empty before performing a request*/errbuf[0] =0; Res=curl_easy_perform (Curl);      Curl_easy_cleanup (curl); Strerrorbuf=Errbuf; returnRes; }  

Openssl:

intPosts (ConstSTD::string& strURL,ConstSTD::string& Strpost, std::string& Strresponse, std::string&strerrorbuf,Const Char*Pcapath)      {Curlcode res; CURL* Curl =Curl_easy_init (); CharErrbuf[curl_error_size]; if(NULL = =Curl) {          returnCurle_failed_init; }      if(m_bdebug) {curl_easy_setopt (curl, Curlopt_verbose,1);      Curl_easy_setopt (Curl, curlopt_debugfunction, ondebug);      } curl_easy_setopt (Curl, Curlopt_url, strurl.c_str ()); /*provide a buffer to store errors in*/curl_easy_setopt (Curl, Curlopt_errorbuffer, errbuf); Curl_easy_setopt (Curl, Curlopt_post,1);      Curl_easy_setopt (Curl, Curlopt_postfields, strpost.c_str ());      Curl_easy_setopt (Curl, curlopt_readfunction, NULL);      Curl_easy_setopt (Curl, curlopt_writefunction, onwritedata); Curl_easy_setopt (Curl, Curlopt_writedata, (void*) &strresponse); Curl_easy_setopt (Curl, curlopt_nosignal,1); if(Pcapath) { curl_easy_setopt (curl, Curlopt_ssl_verifypeer,  1L); Curl_easy_setopt (Curl, Curlopt_ssl_verifyhost,  2L );    Curl_easy_setopt (Curl, Curlopt_cainfo, pcapath); }    Else{ curl_easy_setopt (curl, Curlopt_ssl_verifypeer,  1L); Curl_easy_setopt (Curl, Curlopt_ssl_verifyhost,  2L );    Curl_easy_setopt (Curl, Curlopt_cainfo, "Cacert.pem");      } curl_easy_setopt (Curl, curlopt_connecttimeout, time_out_num);      Curl_easy_setopt (Curl, curlopt_timeout, time_out_num); /*set the error buffer as empty before performing a request*/errbuf[0] =0; Res=curl_easy_perform (Curl);      Curl_easy_cleanup (curl); Strerrorbuf=Errbuf; returnRes; }  

Reference:

A) https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html

b) https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html

c) https://curl.haxx.se/docs/sslcerts.html

Using Curl,libcurl to access HTTPS