cURL / Mailing Lists / curl-library / Single Mail


Re: libcurl ca-bundle path

From: Ray Satiro via curl-library <>
Date: Tue, 16 Aug 2016 15:42:42 -0400

On 8/16/2016 1:29 PM, Mckinney, Lee wrote:
> What is the default subject path on windows?
> From the libcurl release FAQ, I see that the ca-bundle is no longer
> supplied.
> No worries.
> But I assume libcurl still leverages (or can leverage) a ca path at
> runtime.
> I am currently setting an explicit path in my client code:
> curl_easy_setopt(curl,CURLOPT_CAINFO,"<path-to-server-cert-pem-file");
> and the client seems to communicate properly now with the server over ssl.
> I want to externalize the path to the server pem so additonal certs
> (for additonal servers) can be
> added to the trust store without the need to re-compile the client
> every time.
> Is there a path environment variable libcurl checks?
> Perhaps importing the server certs into Windows cert manager is the
> way to go?

Only libcurl built for the WinSSL backend (schannel) uses the Windows
certificate store. OpenSSL can use a bundle of certificates or a
directory of certificates. Mozilla certificate bundle cacert.pem (aka
ca-bundle.crt, curl-ca-bundle.crt) can be found at [1]. For more
information on the SSL differences refer to the comparison chart [2].

If you use a configure build then that script at build time may search
some default locations for a bundle or directory of certificates, and if
one is found it is set as the default location so you don't need to
specify it [3][4]. If you are using a non-configure build you can at
build time define CURL_WANTS_CA_BUNDLE_ENV if CURL_CA_BUNDLE is not
defined [5], and then at runtime libcurl will retrieve the bundle
location from CURL_CA_BUNDLE environment variable.

The easiest way to make sure it always reads from an environment
variable first regardless of how you build is to set it using
CURLOPT_CAINFO the option you are already using, like this
curl_easy_setopt(curl, CURLOPT_CAINFO, getenv("CURL_CA_BUNDLE")); Note
getenv is not thread-safe. Another idea is the curl tool has a slightly
more complicated order [6][7] and can search the paths for
curl-ca-bundle.crt so you could lift that code.


List admin:
Received on 2016-08-16