curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Consistent certificate validation

From: François via curl-users <>
Date: Wed, 4 Dec 2019 21:20:59 +0100

curl certificate validation seems to depend on the SSL library used to
build curl.
In some cases like when linking with openssl,you need to provide the
root certificate to be able to connect with curl --capath or curl
--cacert. In case you are using the -capath option and curl is built
with openssl, you must use c_rehash to create the needed symlinks.

However if curl is built like this without openssl like in this example:
$ curl -V
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10
zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
NTLM_WB SSL libz TLS-SRP UnixSockets

there is no need to create the symlinks with c_rehash, also you don't
need to have the root certificate within the capath folder, and you
can just provide the server certificate to cacert. curl will not
complain about any "self signed certificate in certificate chain"
because it did not know about the root CA.

This is bothering because I don't want to authorize every single
certificate signed by an authority, but just a single one, which
subject is matching the server I'm targeting. It also means that a
script calling curl --cacert might break following an update of curl,
so in the end the most portable way to use curl remains to use the
--insecure option.

The documentation that curl links you to in case you get a "self
signed certificate" is pretty detailed but does not address this
openssl peculiarity (eg it mentions the openssl -showcerts command,
but does not mention that you cannot just take any of the certificates
there, you need to use the self-signed root one in the case curl is
linked with openssl). If my understanding is correct, do you think
there is either a way to change the way openssl is called to verify
the certificate chain, or if there is anything clearer that could be
replied to the user in case of certificate issue (so that the user
does not automatically goes to the --insecure option)?

Thank you!
Received on 2019-12-04