curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Dealing with certificates when using custom OpenSSL build with curl

From: Andreas Falkenhahn via curl-library <curl-library_at_cool.haxx.se>
Date: Sat, 23 Mar 2019 13:55:10 +0100

On 22.03.2019 at 19:34 Ray Satiro via curl-library wrote:

> Doesn't android have /system/etc/security/cacerts and will that work as
> capath instead of using the bundle as cainfo?

Ok, after Luca's mail I tried it and it's indeed possible to access /system/etc/security/cacerts
and read all the certificate files from there.

But, setting CURLOPT_CAPATH to /system/etc/security/cacerts doesn't work
with OpenSSL 1.x because apparently, the names of the individual certificates
in that directory use an MD5 hash while OpenSSL 1.x expects an SHA1 hash.
People have discussed this here:

https://stackoverflow.com/questions/25253823/how-to-make-ssl-peer-verify-work-on-android
https://stackoverflow.com/questions/26935662/openssl-1-0-2-to-read-md5-ca-certificates

People have suggested that one should just concat all the individual certificate
files from /system/etc/security/cacerts into a single file and set that
using CURLOPT_CAINFO but I think it's a better idea to use a recent cacert.pem
from curl's homepage and hard-code it into the curl build using --with-ca-bundle
because all the solutions suggested above make lots of assumptions that might
not work in future Android versions...

-- 
Best regards,
 Andreas Falkenhahn                            mailto:andreas_at_falkenhahn.com
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2019-03-23