Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Is CURLSSLOPT_NATIVE_CA still experimental?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Fujii Hironori via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 11 Jan 2023 11:26:28 +0900
Just for your information, you may run into the same problem of
CURLSSLOPT_NATIVE_CA with me.
https://github.com/curl/curl/pull/6502
In such a case, you have to import the certs by yourself.
On Fri, Jan 6, 2023 at 12:09 AM Jeroen Ooms via curl-library <
curl-library_at_lists.haxx.se> wrote:
> Hello,
>
> I maintain the R bindings, which are used by a lot of Windows users
> inside corporate/academic networks.
>
> A few years ago, we switched the default-ssl-backend on Windows from
> openssl to schannel. The main motivation was that many corporate
> networks use custom SSL certificates which are stored in the windows
> cert store. By switching to schannel, curl would be able to use these
> certs and we would not have to ship a custom ca-bundle with the
> bindings which always was a pain.
>
> It has worked well, but now I am not considering switching back to
> openssl and enable CURLSSLOPT_NATIVE_CA by default. The reason this
> time is that users want to use nghttp2 and that openssl seems more
> robust than schannel for servers that behave unexpectedly (which sadly
> is common in our field).
>
> However the documentation says CURLSSLOPT_NATIVE_CA (introduced in
> 7.71.0) is experimental and subject to change. Is it safe to use at
> this point? I tried running our tests on a few machines (vista, win-7,
> win-10, and some GHA runners) and it all seems to work. Has anyone
> experienced issues with it, or is aware of edge-cases that I should be
> aware of?
>
> Thanks
>
> Jeroen
> --
> Unsubscribe: https://lists.haxx.se/listinfo/curl-library
> Etiquette: https://curl.se/mail/etiquette.html
>
Date: Wed, 11 Jan 2023 11:26:28 +0900
Just for your information, you may run into the same problem of
CURLSSLOPT_NATIVE_CA with me.
https://github.com/curl/curl/pull/6502
In such a case, you have to import the certs by yourself.
On Fri, Jan 6, 2023 at 12:09 AM Jeroen Ooms via curl-library <
curl-library_at_lists.haxx.se> wrote:
> Hello,
>
> I maintain the R bindings, which are used by a lot of Windows users
> inside corporate/academic networks.
>
> A few years ago, we switched the default-ssl-backend on Windows from
> openssl to schannel. The main motivation was that many corporate
> networks use custom SSL certificates which are stored in the windows
> cert store. By switching to schannel, curl would be able to use these
> certs and we would not have to ship a custom ca-bundle with the
> bindings which always was a pain.
>
> It has worked well, but now I am not considering switching back to
> openssl and enable CURLSSLOPT_NATIVE_CA by default. The reason this
> time is that users want to use nghttp2 and that openssl seems more
> robust than schannel for servers that behave unexpectedly (which sadly
> is common in our field).
>
> However the documentation says CURLSSLOPT_NATIVE_CA (introduced in
> 7.71.0) is experimental and subject to change. Is it safe to use at
> this point? I tried running our tests on a few machines (vista, win-7,
> win-10, and some GHA runners) and it all seems to work. Has anyone
> experienced issues with it, or is aware of edge-cases that I should be
> aware of?
>
> Thanks
>
> Jeroen
> --
> Unsubscribe: https://lists.haxx.se/listinfo/curl-library
> Etiquette: https://curl.se/mail/etiquette.html
>
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-01-11