curl / Mailing Lists / curl-library / Single Mail


Re: Dealing with certificates when using custom OpenSSL build with curl

From: Patrick Monnerat via curl-library <>
Date: Fri, 22 Mar 2019 15:47:27 +0100

On 3/22/19 3:12 PM, Andreas Falkenhahn via curl-library wrote:
> When I use curl with the system's default SSL stack (e.g. DarwinSSL on macOS, Schannel on Windows, pre-installed OpenSSL on Linux) I don't have to use CURLOPT_CAINFO to tell curl which certificates to use at all. Instead, curl will automatically use the certificates provided by the host operating system.
> This is different when statically linking curl against a custom build of OpenSSL, e.g. on Android, where curl doesn't have access to any system certificates. In that case I explicitly need to tell curl which certificates to use by setting CURLOPT_CAINFO or it won't be able to connect.
> AFAICS, curl always provides a recent certificate store here:
> But how am I supposed to deal with this in my application? Should I include curl's cacert.pem in my application? But hard-coding a recent version of curl's cacert.pem in my application would require me to update my application whenever the cacert.pem provided by curl is updated - which is quite a hassle.
> So is there maybe an option to make curl automatically use the cacert.pem provided on curl's homepage? I think that would be useful when linking curl against custom builds of OpenSSL that don't have access to any certificate store provided by the host operating system, e.g. on Android.
> Or is there any other recommended way of dealing with this problem?
You can configure curl with option
--with-ca-bundle=/local/filepath/of/your/choice before compiling it and
download the cacert.pem file at this place on your target system. This
path will become the default when no CURLOPT_CAINFO setopt is issued.
Received on 2019-03-22