Clarification on support for CURLOPT_CAINFO
Date: Wed, 5 Jun 2019 10:11:55 +0100
https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html says
%%%%%%%%%%
[...]
(iOS and macOS) If curl is built against Secure Transport, then this
option is supported for backward compatibility with other SSL engines,
but it should not be set. If the option is not set, then curl will use
the certificates in the system and user Keychain to verify the peer,
which is the preferred method of verifying the peer's certificate
chain.
(Schannel) This option is supported for Schannel in Windows 7 or later
but we recommend not using it until Windows 8 since it works better
starting then. Added in libcurl 7.60. This option is supported for
backward compatibility with other SSL engines; instead it is
recommended to use Windows' store of root certificates (the default
for Schannel).
[..]
AVAILABILITY
For SSL engines that don't support certificate files the
CURLOPT_CAINFO option is ignored. Refer to
https://curl.haxx.se/docs/ssl-compared.html
%%%%%%%%%%%
In the table in https://curl.haxx.se/docs/ssl-compared.html, it has
"Uses Certificate/Key Files" as a "no" for Schannel and Secure
Transport, and lower down:
"For engines that use a database and don't also support files, the
CURLOPT_CAINFO option is ignored."
If I'm understanding them correctly, these two sources contradict each
other, CURLOPT_CAINFO is supported for Schannel and Secure Transport,
and it isn't ignored. It isn't the preferred/recommended method for
those back-ends, but it is expected to work.
Is this correct? Happy to create issue and try a PR if so, and very
happy to be corrected before I start to rely on setting CURLOPT_CAINFO
for these backends.
-- Richard ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2019-06-05