curl / Mailing Lists / curl-library / Single Mail


RE: A first proposal patch for using Windows certificate store when compiling with openssl

From: Gilles Vollant via curl-library <>
Date: Tue, 11 Sep 2018 17:50:32 +0200

On Sun, 9 Sep 2018, Daniel Stenberg via curl-library wrote:
> #include <Wincrypt.h>
> #endif

> + #pragma comment(lib, "crypt32.lib")
> I'm pretty sure this is an MSVCism
I agree this must not be used.

>> ! if ((!ssl_cafile) && (!ssl_capath)) {
> I'm curious if this way of selecting the native CA store is really what
> would like
> I'm curious if this way of selecting the native CA store is really what
>would like. It is very obscure and when reading code you can't tell if
> use the Windows CA store or not unless you also know which libcurl version

> that runs...
> Would it make more sense to use a magic value for cafile for example? For
> example CURL_WINDOWS_CA_STORE (which then could be a defined string that
> totally unlikely to ever be used for a PEM ca store file name on windows.
> " .. wincastore" or something.

Here is my idea : if we provide cafile or capath, we have our custom
certificate store, so it replace using Windows store.
If we did not provide them, we cannot use curl with https without
--insecure. So using Windows certificate store is a good idea.

When we user WinSSL , we use Windows certificate store without asking
Same thing with darwinssl.c and ios/osx keychain.

My idea is more using the Windows CA store, but add a macro to ignore my

Note : Openssl 1.1.1 with TLS 1.3 has been released. So having a Windows
executable of curl.exe which use it and Windows store without specifying
option can be great !!

Gilles Vollant

Received on 2018-09-11