cURL / Mailing Lists / curl-library / Single Mail

curl-library

How to make SSL peer_verify work on Android?

From: Robert Chou <robert.3c_at_gmail.com>
Date: Tue, 12 Aug 2014 17:18:34 -0700

Hi,

I've successfully built libcurl-7.36.0 with openssl-1.0.1h on Android. I
ran a sample code to test HTTPS connection. The SSL_VERIFYPEER is enabled
by default. The certificates path on Android is
/system/etc/security/cacerts, so I set CURLOPT_CAPATH to
/system/etc/security/cacerts.

ls -l /system/etc/security/cacerts
-rw-r--r-- root root 4767 2012-09-22 11:57 00673b5b.0
-rw-r--r-- root root 4573 2012-09-22 11:57 03e16f6c.0
-rw-r--r-- root root 5292 2012-09-22 11:57 08aef7bb.0
......

Here is a snippet of my codes..

curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_URL, "https://www.google.com:443");
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L); // default
curl_easy_setopt(curl, CURLOPT_CAPATH, "/system/etc/security/cacerts");
curl_easy_perform(curl);

Curl always returns an error:

== Info: SSL certificate problem: unable to get local issuer certificate
== Info: Closing connection 0
curl_easy_perform() failed: Peer certificate cannot be authenticated
with given CA certificates

It's working if I download the CA bundle file ca-bundle.crt from
http://curl.haxx.se/docs/caextract.html and curl_easy_setopt(curl,
CURLOPT_CAINFO, "path:/ca-bundle.crt").

I've also tried openssl-0.9.8zb. It's working on Android without the CA
bundle file.

Here is my question:

Is it possible to make openssl-1.0.x work on Android without manually
downloading the CA bundle file and specifying CURLOPT_CAINFO?

Thanks,

Robert Chou

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-08-13