cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Query regarding SSL certificates not about libCurl

From: Arif Ali <arif.ali.syed_at_gmail.com>
Date: Sun, 31 Aug 2014 00:48:22 +0530

Found a way here
<http://stackoverflow.com/questions/1412538/how-to-tell-if-a-url-is-an-intranet-url>
to detect intranet sites or not.
with that If I can make curl trust Operating systems trusted CAs list that
should be enough for me.

How do I tell curl to trust all CAs that are trusted by host OS?
Thanks in advance,
-Arif

-Arif

On Sun, Aug 31, 2014 at 12:24 AM, Arif Ali <arif.ali.syed_at_gmail.com> wrote:

> Thanks for your response Daniel.
> I am building 'sort of very thin browser'( scaled down version) where
> using libCurl to serve http[s] requests.
>
> I wouldn't mind excepting all the certificates of host Operating Systems
> but I want to trust all intranet sites.
> Is there anyway to detect intranet site first and then tell curl to trust
> them?
>
> If its not possible to discover if a site is intranet , does curl have any
> option to specify a wildcard pattern for sites to be trusted?
> like trust all *.mozilla.org or *.corp.mozilla.org
>
> -Arif
>
>
> -Arif
>
>
> On Fri, Aug 29, 2014 at 2:57 AM, Daniel Stenberg <daniel_at_haxx.se> wrote:
>
>> On Thu, 28 Aug 2014, Arif Ali Saiyed wrote:
>>
>> Is there any simple way of telling libCurl to use host machine's SSL
>>> certificate store? If its on Windows point to windows default cert store
>>> if its on Mac point to Mac's cert store.
>>>
>>
>> I believe that's what you get if you use the "native" TLS library that
>> comes with the Operating systems. Windows, Mac OS X or Linux distros.
>>
>> But I'll complicate the issue for you. Why would your application blindly
>> trust exactly those CAs that the different operating systems trust? Or put
>> another way, if you don't trust a certain CA on one operating system, why
>> would you trust it on another?
>>
>>
>> 4. multiple browsers on same operating system use the same certificate
>>> store or all of them have their on certificate store?
>>>
>>
>> IMHO, all applications and especially browsers, should make sure to only
>> have certificates for CAs they trust and they should have their own bundle
>> for that. Thus they need to maintain their own bundle. Also, an application
>> can very well decide to trust a CA that the operating system vendor doesn't.
>>
>>
>> 5. Do i need to worry about nss?
>>>
>>
>> If you want to use libcurl built to use nss, sure.
>>
>> --
>>
>> / daniel.haxx.se
>>
>
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-08-30