Skip to content

curl_easy_setopt(curl, CURLOPT_CAPATH, path) with mbedtls returns CURLE_NOT_BUILT_IN #1877

New issue
New issue
Closed
Closed
curl_easy_setopt(curl, CURLOPT_CAPATH, path) with mbedtls returns CURLE_NOT_BUILT_IN#1877
Labels
TLS
@SBKarr

Description

@SBKarr
SBKarr
opened on Sep 8, 2017

But curl uses mbedtls_x509_crt_parse_path in mbedtls backend, if ssl_capath was configured.

libcurl: 7.55.1 (13 Aug 2017)
mbedtls: 2.6.0
OS: Ubuntu 16.04

  curl version:     7.55.1
  Host setup:       x86_64-pc-linux-gnu
  Install prefix:   
  Compiler:         clang
  SSL support:      enabled (mbedTLS)
  SSH support:      no      (--with-libssh2)
  zlib support:     enabled
  GSS-API support:  no      (--with-gssapi)
  TLS-SRP support:  no      (--enable-tls-srp)
  resolver:         POSIX threaded
  IPv6 support:     enabled
  Unix sockets support: no      (--enable-unix-sockets)
  IDN support:      no      (--with-{libidn2,winidn})
  Build libcurl:    Shared=no, Static=yes
  Built-in manual:  no      (--enable-manual)
  --libcurl option: enabled (--disable-libcurl-option)
  Verbose errors:   no
  SSPI support:     no      (--enable-sspi)
  ca cert bundle:   no
  ca cert path:     no
  ca fallback:      no
  LDAP support:     no      (--enable-ldap / --with-ldap-lib / --with-lber-lib)
  LDAPS support:    no      (--enable-ldaps)
  RTSP support:     no      (--enable-rtsp)
  RTMP support:     no      (--with-librtmp)
  metalink support: no      (--with-libmetalink)
  PSL support:      no      (libpsl not found)
  HTTP2 support:    disabled (--with-nghttp2)
  Protocols:        FILE FTP FTPS HTTP HTTPS SMTP SMTPS

It just works if i define #define have_curlssl_ca_path 1 in mbedtls.h, but i think, it should be tested somehow.

Activity

bagder
added
TLS
on Sep 9, 2017
bagder

bagder commented on Sep 9, 2017

@bagder
bagder
on Sep 9, 2017
Member

If curl_easy_setopt returns that, it is because the libcurl you're using was built totally without SSL support!

See: https://github.com/curl/curl/blob/master/lib/url.c#L2293

jay

jay commented on Sep 10, 2017

@jay
jay
on Sep 10, 2017
Member

This report may be legit, the mbedtls function is for ca path but that is disabled for some reason:

curl/lib/vtls/mbedtls.c

Lines 1042 to 1049 in a14f715

const struct Curl_ssl Curl_ssl_mbedtls = {
{ CURLSSLBACKEND_MBEDTLS, "mbedtls" }, /* info */
0, /* have_ca_path */
0, /* have_certinfo */
1, /* have_pinnedpubkey */
1, /* have_ssl_ctx */
0, /* support_https_proxy */

Doc says it's supported for PolarSSL but since contributors made mbedTLS code from that then I'd guess it should be supported for mbedTLS too.

/cc @dscho

SBKarr

SBKarr commented on Sep 10, 2017

@SBKarr
SBKarr
on Sep 10, 2017 · edited by SBKarr
Author

I usually use ca bundle file with CURLOPT_CAINFO, it's ok for TLS (HTTPS, SMTPS. CURLOPT_SSL_VERIFYPEER, 1L, CURLOPT_SSL_VERIFYHOST, 2L) with same libcurl, that returns CURLE_NOT_BUILT_IN for CURLOPT_CAPATH.

It's also ok, if i build libcurl with #define have_curlssl_ca_path 1 in mbedtls.h 7.55.1.

So, i think it's have_ca_path problem, not USE_SSL problem.

jay
added a commit that references this issue on Sep 10, 2017

mbedtls: enable CA path processing

64bb7ae
jay

jay commented on Sep 10, 2017

@jay
jay
on Sep 10, 2017
Member

I see. It looks as though it's been like that since it was added. Thanks, landed in 64bb7ae.

jay
closed this as completedon Sep 10, 2017
lock
locked as resolved and limited conversation to collaborators on May 6, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    TLS

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      curl_easy_setopt(curl, CURLOPT_CAPATH, path) with mbedtls returns CURLE_NOT_BUILT_IN · Issue #1877 · curl/curl