curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Is CURLSSLOPT_NATIVE_CA still experimental?

From: Fujii Hironori via curl-library <>
Date: Wed, 11 Jan 2023 11:26:28 +0900

Just for your information, you may run into the same problem of
In such a case, you have to import the certs by yourself.

On Fri, Jan 6, 2023 at 12:09 AM Jeroen Ooms via curl-library <> wrote:

> Hello,
> I maintain the R bindings, which are used by a lot of Windows users
> inside corporate/academic networks.
> A few years ago, we switched the default-ssl-backend on Windows from
> openssl to schannel. The main motivation was that many corporate
> networks use custom SSL certificates which are stored in the windows
> cert store. By switching to schannel, curl would be able to use these
> certs and we would not have to ship a custom ca-bundle with the
> bindings which always was a pain.
> It has worked well, but now I am not considering switching back to
> openssl and enable CURLSSLOPT_NATIVE_CA by default. The reason this
> time is that users want to use nghttp2 and that openssl seems more
> robust than schannel for servers that behave unexpectedly (which sadly
> is common in our field).
> However the documentation says CURLSSLOPT_NATIVE_CA (introduced in
> 7.71.0) is experimental and subject to change. Is it safe to use at
> this point? I tried running our tests on a few machines (vista, win-7,
> win-10, and some GHA runners) and it all seems to work. Has anyone
> experienced issues with it, or is aware of edge-cases that I should be
> aware of?
> Thanks
> Jeroen
> --
> Unsubscribe:
> Etiquette:

Received on 2023-01-11