Using pinned certificates with our CURL plugin functions

To increase the security of the TLS connections you make with our CURL plugin functions, you can pin the certificate. That means you store a hash of the public key in the certificate and CURL checks this hash against the public key sent from the server. If the hash does not match, the connection is closed and you get back error code 90 with message “SSL: public key does not match pinned public key!”.

If you like to see the certificate, you can use set cert info option to true. The plugin collects the certificate information and you can later query it. In MBS Xojo CURL Plugin use OptionCertInfo property and GetInfoCertInfo methods in CURLSMBS class. The information includes the parsed certificate details as well as the PEM style certificate data.

Now in order to use pined certificate, you need the hash, but how to get it?
You could use the openssl command line instructions from the CURLOPT_PINNEDPUBLICKEY documentation page. But there is an easier way. Just put in a hash like “sha256//xxx” with OptionPinnedPublicKey in the plugin. Do your request and in the debug log you find a message like this:

public key hash: sha256//dhF0fnWyRh66b9UWMzm1TdEREOw4vkMunNGZQo0VZSE=
SSL: public key does not match pinned public key!

And now you can simply copy this hash and pass it to the option for the next connection. Don’t forget the “sha256//” prefix. Once the hash matches the connection will continue.

Your code can check for the result of the CURL and inform the user if the public key changed. Now it may be good to compare the cert info output to the last one you may have saved and see if they website just renewed their certificate or whether someone tries to hack you and use a fake certificate. If the certificate was renewed with the same private key, the public key won’t change.

Don’t forget to use a list of acceptable root certificates and let CURL verify the certificates, too. See CAPath option and get cacert.pem from curl website.