Daniel Stenberg schrieb:
> On Thu, 2 Mar 2006, Sebastian Brückner wrote:
>
>> As the next step I would like to avoid using CURLOPT_CAINFO altogether
>> to make working without any external configuration files possible. Any
>> hints on how to achieve that?
>
> Is this a self-signed certificate? If so, why do you need the cacert file?

I shouldn't need it. I use the root certificate of my own CA created
only for this application.

> I believe you might need the cacert file only if you need certs from the
> "chain" as then the "built-in" cacert alone is not enough to verify the
> cert.

As far as I can see the certificate itself is not the problem. Since I
insert it directly using OpenSSL functions curl probably doesn't even
know its there. That might be the problem: I guess curl assumes that for
CURLOPT_VERIFYPEER to work it needs certificates and with an invalid
CURLOPT_CAINFO I don't give any (from curl's point of view)...
(I will have a look at the source, maybe that clears things up a bit)

I know nothing about built-in certificates. I just assumed that the
built-in certificates are in the file specified by CURLOPT_CAINFO by
default (that is /usr/local/share/curl/curl-ca-bundle.crt for me). So if
I specify a different (or even none as I would like to do) path they
shouldn't be used.

The message is (if I don't change CURLOPT_CAINFO):

error setting certificate verify locations:
   CAfile: /usr/local/share/curl/curl-ca-bundle.crt
   CApath: none

Sebastian
Received on 2006-03-02