Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

curl: add --ca-native and --proxy-ca-native #11049

Closed
wants to merge 1 commit into from
Closed

curl: add --ca-native and --proxy-ca-native #11049

wants to merge 1 commit into from

Conversation

bagder
Copy link
Member

@bagder bagder commented Apr 27, 2023

These are two boolean options to ask curl to use the native OS's CA store when verifying TLS servers. For peers and for proxies respectively.

They currently only have an effect for curl on Windows when built to use OpenSSL for TLS.

@bagder bagder added TLS feature-window A merge of this requires an open feature window Windows Windows-specific labels Apr 27, 2023
@dfandrich
Copy link
Contributor

dfandrich commented Apr 27, 2023 via email

@bagder
Copy link
Member Author

bagder commented Apr 27, 2023

What are the intended semantics on non-Windows systems?

If/when someone adds support for non-Windows systems I figure they could work the same?

Doesn't NSS have its own certificate store that this option might be expected to affect?

I don't think so. It is still not the OS's store.

@noloader
Copy link

noloader commented Apr 28, 2023
edited

I think the other case to consider, in contrast to @dfandrich comment, is what happens when OpenSSL is configured to use the Windows Certificate store, but cURL was not invoked with --ca-native or --proxy-ca-native. In this case the user may get the Windows Certificate store even though they did not want it. They may have wanted to use cURL's cacerts.pem.

I haven't looked at this area of OpenSSL in several years. My apologies if I got my wires crossed.

@bagder
Copy link
Member Author

bagder commented Apr 28, 2023
edited

what happens when OpenSSL is configured to use the Windows Certificate store, but cURL was not invoked with --ca-native or --proxy-ca-native

OpenSSL is never configured to do this by itself. It does not offer this feature.

This is code in libcurl that we activate with an curl_easy_setopt() option. Thus, if none of the *ca-native options is used with the tool, OpenSSL will use the CA store provided by other options.

@noloader
Copy link

OpenSSL is never configured to do this by itself. It does not offer this feature.

Hmmm... I think enable-capieng tells OpenSSL to use the Windows Certificate store. See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options.

Do you know if that option was removed?

@bagder
Copy link
Member Author

bagder commented Apr 28, 2023

OpenSSL is never configured to do this by itself. It does not offer this feature.

Hmmm... I think enable-capieng tells OpenSSL to use the Windows Certificate store. See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options.

Do you know if that option was removed?

I don't know what that is, but I know that we don't use that.

@vszakats
Copy link
Member

vszakats commented Apr 28, 2023
edited

capieng is an OpenSSL / quictls build option.

curl-for-win has it disabled, because by default it uses external engine DLLs, which in turn needs to have dynamic load capability enabled, which in turn still seems insecure in OpenSSL due to its incomplete fix for a 2019 CVE. Due to this, I disabled capieng with the other engines, about a year ago.

I was tracking this PR for Windows CA certificate store support. It landed 10 days ago in quictls 3.1.0. It seems to implement support internally and it's part of the curl.exe released the same day.

What is necessary now in OpenSSL to make use of this feature from curl? Do we still need capieng for it?

@jay
Copy link
Member

jay commented Apr 28, 2023

Basically I don't know but:

It looks like according to their CHANGES for OpenSSL 3.1 they've added SSL_CERT_URI and for OpenSSL 3.2 they've added SSL_CERT_PATH and are going to deprecate SSL_CERT_DIR (which could do both but had some parsing problem, still I don't get why they would deprecate it for paths). Both commits openssl/openssl@606e0426 and openssl/openssl@021859bf (also its parent) are in master and not in openssl-3.1 branch.

curl tool reads SSL_CERT_DIR (note it's ignored for Schannel) and sets that as the path. I don't know if OpenSSL is now reading the environment itself but the URI is org.openssl.winstore:// not capieng. If you have a master build then try SSL_CERT_URI=org.openssl.winstore:// curl ... and if that doesn't work try curl --capath "org.openssl.winstore://" ...

@vszakats
Copy link
Member

So it seems capieng is not playing a role here. And the OpenSSL patches mentioned did not end up in 3.1, and are now targeted for 3.2.

@jay
Copy link
Member

jay commented Apr 28, 2023

I really don't know. That was my impression. You may want to ask in the thread.

@vszakats
Copy link
Member

vszakats commented Apr 29, 2023
edited

capieng is a legacy component that didn't see major feature updates in the recent years, and OpenSSL is/was well-known for not supporting the Windows CA store natively. This tells that capieng is not involved. The mentioned PR originally listed this feature for 3.1 in CHANGES, but it's missing from the release. Strings SSL_CERT_URI and winstore are also missing from the source tarball. SSL_CERT_DIR and SSL_CERT_FILE are present, but CertOpenSystemStore is not.

None of the popular forks support this either. wolfSSL does however, seemingly also when using its OpenSSL-compatibility API, though I haven't tested it.

@bagder
curl: add --ca-native and --proxy-ca-native
a1cd3b8 
These are two boolean options to ask curl to use the native OS's CA
store when verifying TLS servers. For peers and for proxies
respectively.

They currently only have an effect for curl on Windows when built to use
OpenSSL for TLS.
@bagder bagder closed this in 9ad23c3 Jun 5, 2023
@bagder bagder deleted the bagder/ca-native branch June 5, 2023 18:07
bch pushed a commit to bch/curl that referenced this pull request Jul 19, 2023
@bagder @bch
curl: add --ca-native and --proxy-ca-native
fc7a650 
These are two boolean options to ask curl to use the native OS's CA
store when verifying TLS servers. For peers and for proxies
respectively.

They currently only have an effect for curl on Windows when built to use
OpenSSL for TLS.

Closes curl#11049
ptitSeb pushed a commit to wasix-org/curl that referenced this pull request Sep 25, 2023
@bagder @ptitSeb
curl: add --ca-native and --proxy-ca-native
c0d628e 
These are two boolean options to ask curl to use the native OS's CA
store when verifying TLS servers. For peers and for proxies
respectively.

They currently only have an effect for curl on Windows when built to use
OpenSSL for TLS.

Closes curl#11049
@Teamspeak5
Copy link

Where does cURL get the Certificate Authorities from when it's not using the native OS's Certificate Authorities?
Is there like a folder, reg or something else for Windows OSes where curl gets the trusted root Certificate Authorities from?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
cmdline tool feature-window A merge of this requires an open feature window TLS Windows Windows-specific
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@bagder @dfandrich @noloader @vszakats @jay @Teamspeak5