Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Help using libcurl with HTTP proxy on Android device
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Jeffrey Walton via curl-library <curl-library_at_lists.haxx.se>
Date: Tue, 11 Apr 2023 21:50:08 -0400
On Tue, Apr 11, 2023 at 9:03 PM David Castillo <casvel.d_at_gmail.com> wrote:
>
> > There used to be at least two locations used on Android for
> > certificates. Maybe OpenSSL is only using one of them?
>
> Yes, user-installed certificates are stored in the "/data/misc/user/0/cacerts-added" directory while system certificates are stored in "/system/etc/security/cacerts" directory. That's why when I detect there's a proxy, I update the "CURLOPT_CAPATH" option to the user-installed CA cert directory. But the certificates in the user-installed directory are installed as DER format and libcurl fails to open them with this error: `BoringSSL: error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE`
Forgive my ignorance...
Is this a script or a [Java?] program? If it is a script, then you
can... if you detect a proxy, then loop over
/data/misc/user/0/cacerts-added, and perform:
# from a for loop
der=${file}
pem=$(sed -e 's/.der$/.pem$/g')
openssl x509 -in "${der}" -inform DER \
-out "${prefix}/${pem}" -outform PEM
Then, point CURLOPT_CAPATH to where you write the files (i.e., ${prefix}).
If it is a program, then you have to do heavier lifting. Read both
locations, create one store, and then use the one store for
validation. See, for example,
https://www.openssl.org/docs/man3.0/man3/OSSL_STORE_CTX.html and
Jeff
Date: Tue, 11 Apr 2023 21:50:08 -0400
On Tue, Apr 11, 2023 at 9:03 PM David Castillo <casvel.d_at_gmail.com> wrote:
>
> > There used to be at least two locations used on Android for
> > certificates. Maybe OpenSSL is only using one of them?
>
> Yes, user-installed certificates are stored in the "/data/misc/user/0/cacerts-added" directory while system certificates are stored in "/system/etc/security/cacerts" directory. That's why when I detect there's a proxy, I update the "CURLOPT_CAPATH" option to the user-installed CA cert directory. But the certificates in the user-installed directory are installed as DER format and libcurl fails to open them with this error: `BoringSSL: error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE`
Forgive my ignorance...
Is this a script or a [Java?] program? If it is a script, then you
can... if you detect a proxy, then loop over
/data/misc/user/0/cacerts-added, and perform:
# from a for loop
der=${file}
pem=$(sed -e 's/.der$/.pem$/g')
openssl x509 -in "${der}" -inform DER \
-out "${prefix}/${pem}" -outform PEM
Then, point CURLOPT_CAPATH to where you write the files (i.e., ${prefix}).
If it is a program, then you have to do heavier lifting. Read both
locations, create one store, and then use the one store for
validation. See, for example,
https://www.openssl.org/docs/man3.0/man3/OSSL_STORE_CTX.html and
Jeff
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-04-12