cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: libcurl ca-bundle path

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Tue, 16 Aug 2016 15:42:42 -0400

On 8/16/2016 1:29 PM, Mckinney, Lee wrote:
> What is the default subject path on windows?
>
> From the libcurl release FAQ, I see that the ca-bundle is no longer
> supplied.
> No worries.
> But I assume libcurl still leverages (or can leverage) a ca path at
> runtime.
>
> I am currently setting an explicit path in my client code:
>
> curl_easy_setopt(curl,CURLOPT_CAINFO,"<path-to-server-cert-pem-file");
>
> and the client seems to communicate properly now with the server over ssl.
>
> I want to externalize the path to the server pem so additonal certs
> (for additonal servers) can be
> added to the trust store without the need to re-compile the client
> every time.
>
> Is there a path environment variable libcurl checks?
>
> Perhaps importing the server certs into Windows cert manager is the
> way to go?

Only libcurl built for the WinSSL backend (schannel) uses the Windows
certificate store. OpenSSL can use a bundle of certificates or a
directory of certificates. Mozilla certificate bundle cacert.pem (aka
ca-bundle.crt, curl-ca-bundle.crt) can be found at [1]. For more
information on the SSL differences refer to the comparison chart [2].

If you use a configure build then that script at build time may search
some default locations for a bundle or directory of certificates, and if
one is found it is set as the default location so you don't need to
specify it [3][4]. If you are using a non-configure build you can at
build time define CURL_WANTS_CA_BUNDLE_ENV if CURL_CA_BUNDLE is not
defined [5], and then at runtime libcurl will retrieve the bundle
location from CURL_CA_BUNDLE environment variable.

The easiest way to make sure it always reads from an environment
variable first regardless of how you build is to set it using
CURLOPT_CAINFO the option you are already using, like this
curl_easy_setopt(curl, CURLOPT_CAINFO, getenv("CURL_CA_BUNDLE")); Note
getenv is not thread-safe. Another idea is the curl tool has a slightly
more complicated order [6][7] and can search the paths for
curl-ca-bundle.crt so you could lift that code.

[1]: https://curl.haxx.se/docs/caextract.html
[2]: https://curl.haxx.se/docs/ssl-compared.html
[3]: https://github.com/curl/curl/blob/curl-7_50_1/acinclude.m4#L2623-L2624
[4]: https://github.com/curl/curl/blob/curl-7_50_1/lib/url.c#L582-L592
[5]:
https://github.com/curl/curl/blob/curl-7_50_1/lib/curl_setup.h#L644-L647
[6]: https://curl.haxx.se/docs/manpage.html#--cacert
[7]:
https://github.com/curl/curl/blob/curl-7_50_1/src/tool_operate.c#L235-L243

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-08-16