curl / Mailing Lists / curl-library / Single Mail


Re: Windows and CA certificates

From: Jan Ehrhardt via curl-library <>
Date: Mon, 13 Aug 2018 22:49:08 +0200

Daniel Jelinski via curl-library (Tue, 7 Aug 2018 23:11:25 +0200):
>I recently started using HTTPS functionality with libcurl + openSSL; I
>noticed that by default this combo does not use Windows certificates,
>but instead wants to load them from CA bundle.

I happened to notice that recent X64 builds with OpenSSL 1.0.2 (and
probably higher as well) actually do use the Windows certificates.
I first noticed this with a cross-compiled X64 build on Ubuntu 16.04,
but later confirmed it for native X64 builds (VC15, VC14, VC11 and even
VC9 x64). No problems with Elliptic-curve ciphers and/or TLS v1.2.

Example with a VC9 x64 build:

C:\>curl --version
curl 7.61.0 (x86_64-pc-win32) libcurl/7.61.0 OpenSSL/1.0.2o zlib/1.2.8
WinIDN libssh2/1.8.0 nghttp2/1.33.0
Release-Date: 2018-07-11
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3
pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL
libz HTTP2 HTTPS-proxy

C:\>curl --head
HTTP/2 200
date: Mon, 13 Aug 2018 20:26:10 GMT
server: Apache
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=31536000
expect-ct: enforce,max-age=30
vary: Accept-Encoding
x-xss-protection: 1; mode=block
referrer-policy: no-referrer, strict-origin-when-cross-origin
content-type: text/html

Example with a cross-compiled X64 build, zipped in

C:\>curl-x86_64-w64-mingw32-static.exe --head
HTTP/2 200
date: Mon, 13 Aug 2018 20:18:24 GMT
content-type: text/html
last-modified: Tue, 08 May 2018 13:53:22 GMT
etag: "5af1abd2-19d8"
accept-ranges: bytes
content-length: 6616
x-backend-header-rtt: 0.002717
strict-transport-security: max-age=31536000
server: nghttpx
via: 2 nghttpx
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff

Received on 2018-08-13