Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Help using libcurl with HTTP proxy on Android device
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: David Castillo via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 10 Apr 2023 17:13:58 -0700
Thanks for the reply!
> First, that sounds like a path for *added* CA certificates. You probably
will
> not be happy with just the added ones unless you only work against a
specific
> server for which you add the necessary CA certs.
I think I should have added the fact that when I first tried this using
Charles (https://www.charlesproxy.com/) proxy, I got this error: "SSL
certificate problem: self signed certificate in certificate chain".
From my understanding, this error happens because the Charles' root
certificate I installed couldn't be found since curl is only looking at the
system CA certificates stored in the "/system/etc/security/cacerts"
directory. So, I tried to change the CURLOPT_CAPATH option to the path
where user-installed certificates are stored (the plan was to do this only
when a proxy is detected). I wouldn't be surprised if I got this completely
wrong and I shouldn't be changing CURLOPT_CAPATH
> "the certificate" when talking about CA certificates sounds like
something is
> off. Are you really only going to trust a single CA cert? Or are you
talking
> about a client certificate here?
>
> Client certificates are often using DER format. CA certificate less so.
I'm probably mixing terminologies here, but when I'm talking about "the
certificate" I'm referring to the Charles root certificate I installed on
my device
> Why do you need certificates at all just because you use a proxy? Are you
> saying you are using a HTTPS proxy? If so, don't you want to set
> CURLOPT_PROXY_CAINFO rather than the CA for the server connection?
Yes, I think in this case Charles is acting as an HTTPS proxy, since I need
to trust its certificate. I tried setting CURLOPT_PROXY_CAINFO to
"/data/misc/user/0/cacerts-added", but I still get the "self signed
certificate in certificate chain" error. From the documentation, it looks
like this option expects a file path, so I tried
"/data/misc/user/0/cacerts-added/924c6f19.0" which is the file of the
Charles root certificate, but no luck.
Date: Mon, 10 Apr 2023 17:13:58 -0700
Thanks for the reply!
> First, that sounds like a path for *added* CA certificates. You probably
will
> not be happy with just the added ones unless you only work against a
specific
> server for which you add the necessary CA certs.
I think I should have added the fact that when I first tried this using
Charles (https://www.charlesproxy.com/) proxy, I got this error: "SSL
certificate problem: self signed certificate in certificate chain".
From my understanding, this error happens because the Charles' root
certificate I installed couldn't be found since curl is only looking at the
system CA certificates stored in the "/system/etc/security/cacerts"
directory. So, I tried to change the CURLOPT_CAPATH option to the path
where user-installed certificates are stored (the plan was to do this only
when a proxy is detected). I wouldn't be surprised if I got this completely
wrong and I shouldn't be changing CURLOPT_CAPATH
> "the certificate" when talking about CA certificates sounds like
something is
> off. Are you really only going to trust a single CA cert? Or are you
talking
> about a client certificate here?
>
> Client certificates are often using DER format. CA certificate less so.
I'm probably mixing terminologies here, but when I'm talking about "the
certificate" I'm referring to the Charles root certificate I installed on
my device
> Why do you need certificates at all just because you use a proxy? Are you
> saying you are using a HTTPS proxy? If so, don't you want to set
> CURLOPT_PROXY_CAINFO rather than the CA for the server connection?
Yes, I think in this case Charles is acting as an HTTPS proxy, since I need
to trust its certificate. I tried setting CURLOPT_PROXY_CAINFO to
"/data/misc/user/0/cacerts-added", but I still get the "self signed
certificate in certificate chain" error. From the documentation, it looks
like this option expects a file path, so I tried
"/data/misc/user/0/cacerts-added/924c6f19.0" which is the file of the
Charles root certificate, but no luck.
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-04-11