Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1195771 - support "--pinnedpubkey" option (feature REQ)
Summary: support "--pinnedpubkey" option (feature REQ)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: curl
Version: 21
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Kamil Dudka
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-24 14:22 UTC by Richard Z.
Modified: 2015-06-24 15:59 UTC (History)
3 users (show)

Fixed In Version: curl-7.40.0-5.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-06-24 15:59:14 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Richard Z. 2015-02-24 14:22:46 UTC
curl 7.39.0 and later support --pinnedpubkey - if compiled to use OpenSSL library.

As far as I can see this is the only cli download utility which is capable of certificate pinning at all so it would be really good to have that functionality.

Comment 1 Richard Z. 2015-02-24 14:53:42 UTC
more details:
http://curl.haxx.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html

<<This is currently only implemented in the OpenSSL, GnuTLS and GSKit backends.
  Added in libcurl 7.39.0 >>

Comment 2 Kamil Dudka 2015-02-24 14:54:30 UTC
I am not sure whether NSS API is ready for this.  I can see it is already implemented in Firefox:

https://bugzilla.mozilla.org/show_bug.cgi?id=744204
https://bugzilla.mozilla.org/show_bug.cgi?id=787133

... but curl might be too low-level of a tool to gain anything from the Firefox implementation.

Comment 3 Richard Z. 2015-02-24 18:54:26 UTC
Are we stuck with NSS?

Comment 4 Kamil Dudka 2015-02-25 09:09:04 UTC
(In reply to Richard Z. from comment #3)
> Are we stuck with NSS?

libcurl was ported to NSS as part of the Fedora Crypto Consolidation project:

http://fedoraproject.org/wiki/FedoraCryptoConsolidation

We have put a lot of effort to make it stable and feature-complete.  If there is a requirement for the public key pinning, it is a reason to write a patch, not a reason to switch the backend IMO.

But you are free to recompile libcurl against OpenSSL or GnuTLS on your own...

Comment 5 Kamil Dudka 2015-03-25 13:25:24 UTC
patch sent upstream:

http://article.gmane.org/gmane.comp.web.curl.library/45293

Comment 6 Kamil Dudka 2015-04-22 11:46:02 UTC
upstream commit:

https://github.com/bagder/curl/commit/b47c17d6

Comment 7 Kamil Dudka 2015-04-22 14:32:58 UTC
fixed in curl-7.42.0-1.fc23

Comment 8 Fedora Update System 2015-06-17 20:54:25 UTC
curl-7.40.0-5.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/curl-7.40.0-5.fc22

Comment 9 Fedora Update System 2015-06-21 00:05:51 UTC
Package curl-7.40.0-5.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing curl-7.40.0-5.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-10155/curl-7.40.0-5.fc22
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2015-06-24 15:59:14 UTC
curl-7.40.0-5.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.