curl / Mailing Lists / curl-library / Single Mail


Dealing with certificates when using custom OpenSSL build with curl

From: Andreas Falkenhahn via curl-library <>
Date: Fri, 22 Mar 2019 15:12:21 +0100

When I use curl with the system's default SSL stack (e.g. DarwinSSL on macOS, Schannel on Windows, pre-installed OpenSSL on Linux) I don't have to use CURLOPT_CAINFO to tell curl which certificates to use at all. Instead, curl will automatically use the certificates provided by the host operating system.

This is different when statically linking curl against a custom build of OpenSSL, e.g. on Android, where curl doesn't have access to any system certificates. In that case I explicitly need to tell curl which certificates to use by setting CURLOPT_CAINFO or it won't be able to connect.

AFAICS, curl always provides a recent certificate store here:

But how am I supposed to deal with this in my application? Should I include curl's cacert.pem in my application? But hard-coding a recent version of curl's cacert.pem in my application would require me to update my application whenever the cacert.pem provided by curl is updated - which is quite a hassle.

So is there maybe an option to make curl automatically use the cacert.pem provided on curl's homepage? I think that would be useful when linking curl against custom builds of OpenSSL that don't have access to any certificate store provided by the host operating system, e.g. on Android.

Or is there any other recommended way of dealing with this problem?

Best regards,
 Andreas Falkenhahn                
Received on 2019-03-22