curl-library
Re: Allow empty CURLOPT_CAINFO when there is a valid CURLOPT_CAPATH
Date: Thu, 28 Feb 2019 13:29:49 -0800
I'm using the OpenSSL backend.
The SSL_CTX_load_verify_locations documentation clears this up for me.
Seems like if the certificate can be successfully verified with CAINFO,
then CAPATH is more or less ignored
Thank you for pointing me to that function Ray
On Wed, Feb 27, 2019 at 7:15 PM Ray Satiro via curl-library <
curl-library_at_cool.haxx.se> wrote:
> On 2/27/2019 7:11 PM, Alex Khouderchah via curl-library wrote:
> >
> > It seems like CURLOPT_CAINFO is always required to refer to a valid
> > cert file (when we're actually verifying certs), whereas
> > CURLOPT_CAPATH is allowed to be empty or refer to a non-existent
> > directory. I'm unclear why this asymmetry exists. Is there a reason
> > why CURLOPT_CAINFO shouldn't be allowed to be empty/invalid if
> > CURLOPT_CAPATH is valid?
>
>
> It's probably SSL backend specific, which one are you using? I'm using
> OpenSSL and get an error with valid CAINFO but empty CAPATH, and the
> other way around. SSL_CTX_load_verify_locations [1][2] is called and
> AFAICS there's no logic in libcurl to filter what is passed to that
> function.
>
> curl 7.64.1-DEV (i386-pc-win32) libcurl/7.64.1-DEV OpenSSL/1.0.2r
> nghttp2/1.36.0
>
> [1]:
>
> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html
> [2]:
> https://github.com/curl/curl/blob/curl-7_64_0/lib/vtls/openssl.c#L2598
>
>
>
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-02-28