curl / Mailing Lists / curl-library / Single Mail


RE: A first proposal patch for using Windows certificate store when compiling with openssl

From: Daniel Stenberg via curl-library <>
Date: Thu, 13 Sep 2018 08:50:34 +0200 (CEST)

On Tue, 11 Sep 2018, Gilles Vollant via curl-library wrote:

> Note : Openssl 1.1.1 with TLS 1.3 has been released. So having a Windows
> executable of curl.exe which use it and Windows store without specifying
> option can be great !!

That's going to be challenging I think. At least for users of the command line
tool. Let me explain:

On Windows, the command line tool does a fairly advanced dance to figure out
which CA store bundle to use and pass on to libcurl, to be used to verify the
server. This is done without requiring any particular option on the command
line. That CA bundle is often bundled with the curl download - for example in
the official curl package for Windows that we host on the curl web site.

So, if you then invoke "curl" and want to use the Windows
certficate store? With your initially suggested logic, I'm not even sure you
can do that with the curl tool as long as it finds the PEM CA bundle, which
makes it really quirky for the user.

How do you envision this to be used by the curl command line user?

(we can probably also assume that there are one or two other applications out
there that is similar to the curl command line tool in this aspect)

Received on 2018-09-13