curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Dealing with certificates when using custom OpenSSL build with curl

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 22 Mar 2019 14:34:29 -0400

On 3/22/2019 10:12 AM, Andreas Falkenhahn via curl-library wrote:
> When I use curl with the system's default SSL stack (e.g. DarwinSSL on macOS, Schannel on Windows, pre-installed OpenSSL on Linux) I don't have to use CURLOPT_CAINFO to tell curl which certificates to use at all. Instead, curl will automatically use the certificates provided by the host operating system.
>
> This is different when statically linking curl against a custom build of OpenSSL, e.g. on Android, where curl doesn't have access to any system certificates. In that case I explicitly need to tell curl which certificates to use by setting CURLOPT_CAINFO or it won't be able to connect.
>
> AFAICS, curl always provides a recent certificate store here: https://curl.haxx.se/ca/cacert.pem
>
> But how am I supposed to deal with this in my application? Should I include curl's cacert.pem in my application? But hard-coding a recent version of curl's cacert.pem in my application would require me to update my application whenever the cacert.pem provided by curl is updated - which is quite a hassle.
>
> So is there maybe an option to make curl automatically use the cacert.pem provided on curl's homepage? I think that would be useful when linking curl against custom builds of OpenSSL that don't have access to any certificate store provided by the host operating system, e.g. on Android.
>
> Or is there any other recommended way of dealing with this problem?

Doesn't android have /system/etc/security/cacerts and will that work as
capath instead of using the bundle as cainfo?

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-03-22