cURL / Mailing Lists / curl-library / Single Mail


RE: VerifyPeer in OpenSSL vs DarwinSSL

From: Vincas Razma <>
Date: Thu, 17 Mar 2016 08:37:25 +0000

>> And if I turn off verifypeer with this option:
>> It works ok.
>> I understand I need to provide a .crt file for this feature to work
>> properly but I have one question:
>> In iOS towards the same server I do not see this issue. Does this mean
>> that DarwinSSL does this automagically or does it mean DarwinSSL does
>> not have this feature?
>During the TLS handshake, the client (curl) checks that server certificate is signed by a trusted CA. That's the verification you can disable with CURLOPT_SSL_VERIFYPEER.
>When curl verifies the server's certificate, it needs a "CA store" with certificates for all the CAs that curl is told to trust. That store of certs is handled differently depending on what TLS library libcurl is built to use.
>If built libcurl to use OpenSSL, you need to tell it where the cert bundle is for your transfers (you can use separate ones for each transfer if you like!).
>It also gets a default path provided at build-time.
>If libcurl is built to use DarwinSSL, it is told to instead use the Mac system CA store. The libcurl will trust the same set of CAs that your operating system is already trusting. Basically the set of organizations Apple has deemed trustworthy for this.
> /

To add to this - as I understand there is no native SSL engine for Android that would pick certificates from OS?
Only way to do that would be to use OpenSSL and generate cert bundle using by getting certificates from Android APIs separately or deliver cert bundle file with app?

List admin:
Received on 2016-03-17