Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: How to handle CA certificate bundles in portable application bundles (e.g., AppImages)?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Timothe Litt <litt_at_acm.org>
Date: Thu, 19 May 2022 05:43:19 -0400
On 19-May-22 04:38, Daniel Stenberg via curl-library wrote:
> On Wed, 18 May 2022, TheAssassin via curl-library wrote:
>
>> I could imagine that (maybe in addition) to that search path, libcurl
>> could allow developers to specify a list of bundles.
>
> I don't see how it makes any functional difference if the app makes
> that search or if libcurl does it.
>
> Supporting more than one file is an interesting idea. This current
> single file restriction (except for OpenSSL which can have a directory
> of certs) is primarily because how the TLS libraries' APIs for doing
> certificate loading/verification. It could certainly be changed to
> support multiple files, but it would not be an inisignificant amount
> of work...
>
Although I suppose one could come up with some use cases, isn't this
exactly equivalent to concatenating the multiple files into one? If
it's not convenient to do this externally to the application, this is
easily done by the application with a tempfile - more easily than by
libcurl due to lifetime considerations.
Roughly:
bigbundle = tmpfile(); foreach bundle { open(); while read(bundle)
{write(bigbundle)}. close(); }; seek(0), curl_setopt(CURL_CAINFO,
/dev/fd/fileno(bigbundle)) ...
Such a temp file will go away at exit, or if bigbundle is closed.
(knowing when to close it is what might be tricky for libcurl, depending
on when the TLS library is done with the file.)
If the list is used more than once, creating the big bundle will be more
efficient if done externally - even if libcurl tried to cache it, which
would get messy.
If there were enough use cases to justify it, I guess concatenating
files into a tempfile could be a libcurl convenience function... it
doesn't seem like a a lot of work either way.
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
Received on 2022-05-19
Date: Thu, 19 May 2022 05:43:19 -0400
On 19-May-22 04:38, Daniel Stenberg via curl-library wrote:
> On Wed, 18 May 2022, TheAssassin via curl-library wrote:
>
>> I could imagine that (maybe in addition) to that search path, libcurl
>> could allow developers to specify a list of bundles.
>
> I don't see how it makes any functional difference if the app makes
> that search or if libcurl does it.
>
> Supporting more than one file is an interesting idea. This current
> single file restriction (except for OpenSSL which can have a directory
> of certs) is primarily because how the TLS libraries' APIs for doing
> certificate loading/verification. It could certainly be changed to
> support multiple files, but it would not be an inisignificant amount
> of work...
>
Although I suppose one could come up with some use cases, isn't this
exactly equivalent to concatenating the multiple files into one? If
it's not convenient to do this externally to the application, this is
easily done by the application with a tempfile - more easily than by
libcurl due to lifetime considerations.
Roughly:
bigbundle = tmpfile(); foreach bundle { open(); while read(bundle)
{write(bigbundle)}. close(); }; seek(0), curl_setopt(CURL_CAINFO,
/dev/fd/fileno(bigbundle)) ...
Such a temp file will go away at exit, or if bigbundle is closed.
(knowing when to close it is what might be tricky for libcurl, depending
on when the TLS library is done with the file.)
If the list is used more than once, creating the big bundle will be more
efficient if done externally - even if libcurl tried to cache it, which
would get messy.
If there were enough use cases to justify it, I guess concatenating
files into a tempfile could be a libcurl convenience function... it
doesn't seem like a a lot of work either way.
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
- application/pgp-signature attachment: OpenPGP digital signature