Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
AW: How to use Windows Certificate Store with pre-built libcurl distribution?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: \[Quipsy\] Markus Karg via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 10 Feb 2022 07:01:22 +0000
I think in a first step it would be safe and sufficient if there would be *two* official builds for Windows, downloadable for the broader public: The existing one using OpenSSL, plus a new one linked against SChannel. I am pretty sure, the SChannel variant will be adopted heavily once it gets published, as most Windows applications certainly strive for using the native Windows Certificate Store by default, as OpenSSL simply is more or less an alien (still) on Windows or at least is treated so by the majority of native Windows developers and administrators. At least, SChannel "is just there" on all Windows machines, while OpenSSL has to be downloaded and installed manually an *all* Windows machines.
-Markus
-----Ursprüngliche Nachricht-----
Von: curl-library <curl-library-bounces_at_lists.haxx.se> Im Auftrag von Rich Gray via curl-library
Gesendet: Mittwoch, 9. Februar 2022 23:31
An: libcurl development <curl-library_at_lists.haxx.se>
Cc: Rich Gray <rgray_at_plustechnologies.com>
Betreff: Re: How to use Windows Certificate Store with pre-built libcurl distribution?
Daniel Stenberg via curl-library wrote:
> On Wed, 9 Feb 2022, [Quipsy] Markus Karg via curl-library wrote:
>
>> The curl.exe distributed with Windows 10 (which apparently is linked
>> against SChannel) is happy now and performs the HTTPS downloads. This
>> proofs that both, curl.exe and the Windows Certificate Store are
>> working correct.
>
> Yes, that support comes "automatically" when using Schannel, so it's
> not something we need to handle ourselves.
>
>> The official libcurl binary distribution for Windows (which
>> apparently is linked against OpenSSL) fails with code 60, even if I
>> set the CURLOPT_SSLOPTIONS to CURLSSLOPT_NATIVE_CA. This proofs that
>> EITHER that experimental feature is disabled in the official libcurl
>> binary for Windows OR the experimental feature is simply broken.
>
> We discourage people from enabling experimental features in
> production, since they are EXPERIMENTAL. To me, it then seems fair and
> consistent that we then also don't enable it for the binaries we provide in the project.
>
> I actually can't really tell how well this feature work since it seems
> basically nobody enables/uses it, which makes it a catch-22 situation
> where it seems it can't leave the experimental status either.
>
>> Is there a solution other than compiling my own libcurl?
>
> The only other option I can think of, is that you find/pursuade/pay
> someone else to provide such a build for you.
>
I wonder if another option would be to have semi-official builds which are linked against both OpenSSL and Schannel, defaulted to OpenSSL. Then users can use the curl_global_sslset function or environment variable CURL_SSL_BACKEND to override. Maybe eventually this could be come the standard Windows build?
Rich
Date: Thu, 10 Feb 2022 07:01:22 +0000
I think in a first step it would be safe and sufficient if there would be *two* official builds for Windows, downloadable for the broader public: The existing one using OpenSSL, plus a new one linked against SChannel. I am pretty sure, the SChannel variant will be adopted heavily once it gets published, as most Windows applications certainly strive for using the native Windows Certificate Store by default, as OpenSSL simply is more or less an alien (still) on Windows or at least is treated so by the majority of native Windows developers and administrators. At least, SChannel "is just there" on all Windows machines, while OpenSSL has to be downloaded and installed manually an *all* Windows machines.
-Markus
-----Ursprüngliche Nachricht-----
Von: curl-library <curl-library-bounces_at_lists.haxx.se> Im Auftrag von Rich Gray via curl-library
Gesendet: Mittwoch, 9. Februar 2022 23:31
An: libcurl development <curl-library_at_lists.haxx.se>
Cc: Rich Gray <rgray_at_plustechnologies.com>
Betreff: Re: How to use Windows Certificate Store with pre-built libcurl distribution?
Daniel Stenberg via curl-library wrote:
> On Wed, 9 Feb 2022, [Quipsy] Markus Karg via curl-library wrote:
>
>> The curl.exe distributed with Windows 10 (which apparently is linked
>> against SChannel) is happy now and performs the HTTPS downloads. This
>> proofs that both, curl.exe and the Windows Certificate Store are
>> working correct.
>
> Yes, that support comes "automatically" when using Schannel, so it's
> not something we need to handle ourselves.
>
>> The official libcurl binary distribution for Windows (which
>> apparently is linked against OpenSSL) fails with code 60, even if I
>> set the CURLOPT_SSLOPTIONS to CURLSSLOPT_NATIVE_CA. This proofs that
>> EITHER that experimental feature is disabled in the official libcurl
>> binary for Windows OR the experimental feature is simply broken.
>
> We discourage people from enabling experimental features in
> production, since they are EXPERIMENTAL. To me, it then seems fair and
> consistent that we then also don't enable it for the binaries we provide in the project.
>
> I actually can't really tell how well this feature work since it seems
> basically nobody enables/uses it, which makes it a catch-22 situation
> where it seems it can't leave the experimental status either.
>
>> Is there a solution other than compiling my own libcurl?
>
> The only other option I can think of, is that you find/pursuade/pay
> someone else to provide such a build for you.
>
I wonder if another option would be to have semi-official builds which are linked against both OpenSSL and Schannel, defaulted to OpenSSL. Then users can use the curl_global_sslset function or environment variable CURL_SSL_BACKEND to override. Maybe eventually this could be come the standard Windows build?
Rich
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2022-02-10