Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Should '--with-ca-fallback' imply '--without-ca-path' and '--without-ca-bundle'?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Osipov, Michael \(IN IT IN\) via curl-users <"Osipov,>
Date: Wed, 30 Aug 2023 09:08:02 +0200
Folks,
I was recently tinkering with my CA trust store and noticed that curl
prints:
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * CAfile: none
> * CApath: /etc/ssl/certs/
This surprised me a bit because I have passed '--with-ca-fallback' and
would expect that only the system default trust store is used it
otherwise this configure option defeated. Looking at acinclude.m4 there
is an auto discovery *before* '--with-ca-fallback' when nothing is
passed to '--with-ca-path/bundle'. Coincidentally /etc/ssl/certs is the
default trust store on FreeBSD from OpenSSL in base.
My question: Is this on purpose or really just a coincidence? Should it
really be swapped and set both to 'without' when fallback is requested?
I really expect that only [1] applies and nothing else in this case.
Willing to raise a PR.
I am running:
> $ curl --version
> curl 8.1.2 (amd64-portbld-freebsd12.4) libcurl/8.1.2 OpenSSL/1.1.1v zlib/1.2.13 nghttp2/1.53.0
> Release-Date: 2023-05-30
> Protocols: file http https smtp smtps
> Features: AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz SPNEGO SSL threadsafe UnixSockets
Michael
[1]
https://github.com/curl/curl/blob/226d042a58a9ff9fedae44a9c962e7f8339207bf/lib/vtls/openssl.c#L3225-L3232
Date: Wed, 30 Aug 2023 09:08:02 +0200
Folks,
I was recently tinkering with my CA trust store and noticed that curl
prints:
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * CAfile: none
> * CApath: /etc/ssl/certs/
This surprised me a bit because I have passed '--with-ca-fallback' and
would expect that only the system default trust store is used it
otherwise this configure option defeated. Looking at acinclude.m4 there
is an auto discovery *before* '--with-ca-fallback' when nothing is
passed to '--with-ca-path/bundle'. Coincidentally /etc/ssl/certs is the
default trust store on FreeBSD from OpenSSL in base.
My question: Is this on purpose or really just a coincidence? Should it
really be swapped and set both to 'without' when fallback is requested?
I really expect that only [1] applies and nothing else in this case.
Willing to raise a PR.
I am running:
> $ curl --version
> curl 8.1.2 (amd64-portbld-freebsd12.4) libcurl/8.1.2 OpenSSL/1.1.1v zlib/1.2.13 nghttp2/1.53.0
> Release-Date: 2023-05-30
> Protocols: file http https smtp smtps
> Features: AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz SPNEGO SSL threadsafe UnixSockets
Michael
[1]
https://github.com/curl/curl/blob/226d042a58a9ff9fedae44a9c962e7f8339207bf/lib/vtls/openssl.c#L3225-L3232
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-08-30