cURL / Mailing Lists / curl-library / Single Mail

curl-library

[PATCH: adding CURLOPT_CAPATH support to curl/libcurl] was Re: https and certificates

From: Cris Bailiff <c.bailiff+curl_at_awayweb.com>
Date: Tue, 28 May 2002 18:41:51 +1000

Andreas/Daniel,

On Tue, 28 May 2002 17:23, Andreas Olsson wrote:
> >> Today my client program is hardcoded with a specific CaCertFile
> >>
> >> curl_easy_setopt(curl,CURLOPT_CAINFO,pCACertFile);
> >>
> >> This is ok as long as I know what certificate the server uses.
> >>
> >> Is it possible to specify a directory containing many cert files

See patch attached.

> >> or to
> >> bundle them all together in one large cert file and give that to
> >> libcurl?

As Bharath said, yes - you can put all your CA-certs into one file, and use
that instead. Commonly, the 'ca-bundle.crt' file distributed with mod_ssl is
used, as it contains a pretty up-to-date list of 'well known' CA
certificates. This can be relatively slow, as the file is 240K and has about
60 certificates in it.

> >This is currently not possible. I would gladly accept a patch what would
> >introduce CURLOPT_CAPATH that would then set the OpenSSL 'CApath'
> >accordingly, the same way CURLOPT_CAINFO currently sets 'CAfile'.

> At the moment I'm going for the suggestion from Bharath, bundling the CA
> certs into one file, because I want my program to work on windows. In the
> future, when I've got more time (yeah sure..) and I know CApath works on
> Windows, then I'd be happy to write a patch.

Andreas -

I think the main (only?) reason that it doesn't work on windows is because
the 'c_rehash' utility uses symlinks to make the 'hash' links which are used
for the quick lookup. You could probably make it just 'copy' the files
instead (it's a simpe perl script), and it 'might work' (tm).

Daniel,

The attached patch attached adds --capath/CURLOPT_CAPATH support, and 'works
for me' against my local CAPATH directory.

I adjusted the logic when providing these arguments to openssl so it is
possible to specify both in curl/libcurl - it's then up to openssl to decide
if that actually makes any sense!

I think I caught all the relevant docco as well.

Cris

---
c.bailiff+curl at awayweb.com

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

Received on 2002-05-28