curl / Mailing Lists / curl-library / Single Mail


Re: Windows and CA certificates

From: Daniel Stenberg via curl-library <>
Date: Wed, 8 Aug 2018 12:11:44 +0200 (CEST)

On Tue, 7 Aug 2018, Daniel Jeliński via curl-library wrote:

> I recently started using HTTPS functionality with libcurl + openSSL; I
> noticed that by default this combo does not use Windows certificates, but
> instead wants to load them from CA bundle. This poses a maintenance problem
> - the bundle needs to be manually refreshed every now and then by the
> application maintainer, which implies that the application requires a
> maintainer in the first place.

I would probably maintain that an application needs one *anyway* due to
possible security vulnerabilities and what not.

Also, the CA bundle is supposed to be the certs of the CAs you *trust* so by
using a separate one from Windows, your application can actually decide
exactly which CAs to trust for your purposes rather than saying that you
always trust all the CAs that have convinced Microsoft to ship their certs.

> Windows certificates are updated automatically as long as the machine is
> connected to the Internet. Should libcurl load Windows certificates when
> started on Windows?


> I'm currently running code based on a sample found in the mailing list
> archive [1], and it works just fine. I would like to offload its
> functionality to libcurl. What do you think?

Yes please! I'm pretty sure you'll find many libcurl-openssl users on Windows
who would love to get that option!


Received on 2018-08-08