curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Default to CURLSSLOPT_NATIVE_CA for curl --without-ca-bundle ?

From: Daniel Stenberg via curl-library <>
Date: Wed, 18 Oct 2023 10:38:53 +0200 (CEST)

On Tue, 17 Oct 2023, Jeroen Ooms wrote:

> To me the situation seems a bit less edge-case than you portray it; on a lot
> of systems there may not be a CA pem bundle, hence using the system certs
> seems like a sensible default to build a portable (lib)curl. But I see the
> backward-compatibility issue, so we can just set patch this in our build, no
> problem at all.

Switching beween a CA cert bundle and the system CA store is something that
shouldn't be treated or done lightly.

HTTPS and TLS are based on trust. The bundle lists the CAs you trust. If you
use curl with a CA bundle, that bundle contains the CAs you trust. To some
level and extent. Sure, most people won't care or know or meddle with that,
but some will. That's what the CA bundle allows.

Changing this trust source from the bundle to the system CA store without the
user consent is dangerous and will likely in some cases suddenly make
transfers go through that otherwise would be rejected. Or vice versa. Contrary
to what the user wants.

  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
Received on 2023-10-18