curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Clarification on support for CURLOPT_CAINFO

From: Richard Alcock via curl-library <>
Date: Wed, 5 Jun 2019 10:11:55 +0100 says

(iOS and macOS) If curl is built against Secure Transport, then this
option is supported for backward compatibility with other SSL engines,
but it should not be set. If the option is not set, then curl will use
the certificates in the system and user Keychain to verify the peer,
which is the preferred method of verifying the peer's certificate

(Schannel) This option is supported for Schannel in Windows 7 or later
but we recommend not using it until Windows 8 since it works better
starting then. Added in libcurl 7.60. This option is supported for
backward compatibility with other SSL engines; instead it is
recommended to use Windows' store of root certificates (the default
for Schannel).
For SSL engines that don't support certificate files the
CURLOPT_CAINFO option is ignored. Refer to

In the table in, it has
"Uses Certificate/Key Files" as a "no" for Schannel and Secure
Transport, and lower down:

"For engines that use a database and don't also support files, the
CURLOPT_CAINFO option is ignored."

If I'm understanding them correctly, these two sources contradict each
other, CURLOPT_CAINFO is supported for Schannel and Secure Transport,
and it isn't ignored. It isn't the preferred/recommended method for
those back-ends, but it is expected to work.

Is this correct? Happy to create issue and try a PR if so, and very
happy to be corrected before I start to rely on setting CURLOPT_CAINFO
for these backends.

Received on 2019-06-05