Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Default to CURLSSLOPT_NATIVE_CA for curl --without-ca-bundle ?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Jeroen Ooms via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 18 Oct 2023 15:45:42 +0200
On Wed, Oct 18, 2023 at 10:38 AM Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Tue, 17 Oct 2023, Jeroen Ooms wrote:
>
> > To me the situation seems a bit less edge-case than you portray it; on a lot
> > of systems there may not be a CA pem bundle, hence using the system certs
> > seems like a sensible default to build a portable (lib)curl. But I see the
> > backward-compatibility issue, so we can just set patch this in our build, no
> > problem at all.
>
> Switching beween a CA cert bundle and the system CA store is something that
> shouldn't be treated or done lightly.
>
> HTTPS and TLS are based on trust. The bundle lists the CAs you trust. If you
> use curl with a CA bundle, that bundle contains the CAs you trust. To some
> level and extent. Sure, most people won't care or know or meddle with that,
> but some will. That's what the CA bundle allows.
>
> Changing this trust source from the bundle to the system CA store without the
> user consent is dangerous and will likely in some cases suddenly make
> transfers go through that otherwise would be rejected. Or vice versa. Contrary
> to what the user wants.
Yes, 100% agree. This is precisely why we want our curl build for
Windows to use the system CA store, regardless of which
CURL_SSL_BACKEND is picked at runtime. Currently it uses Windows CA
for Schannel (the default) but when the user sets
CURL_SSL_BACKEND=openssl, it uses CURL_CA_BUNDLE
I think that Windows is different from Linux distributions in what can
be considered the safe CA source. On Linux you may assume your distro
provides an up-to-date openssl and CA bundle. But on Windows, openssl
is usually statically linked in curl, and the OS does not provide an
official CA pem bundle. The application needs to ship some CA.pem
which does not receive updates from MS. Only the native Windows CA
store receives automatic (critical) windows updates.
Either way, just explaining my suggestion but I completely understand
your point. We will just handle this in the bindings.
Thanks!
Date: Wed, 18 Oct 2023 15:45:42 +0200
On Wed, Oct 18, 2023 at 10:38 AM Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Tue, 17 Oct 2023, Jeroen Ooms wrote:
>
> > To me the situation seems a bit less edge-case than you portray it; on a lot
> > of systems there may not be a CA pem bundle, hence using the system certs
> > seems like a sensible default to build a portable (lib)curl. But I see the
> > backward-compatibility issue, so we can just set patch this in our build, no
> > problem at all.
>
> Switching beween a CA cert bundle and the system CA store is something that
> shouldn't be treated or done lightly.
>
> HTTPS and TLS are based on trust. The bundle lists the CAs you trust. If you
> use curl with a CA bundle, that bundle contains the CAs you trust. To some
> level and extent. Sure, most people won't care or know or meddle with that,
> but some will. That's what the CA bundle allows.
>
> Changing this trust source from the bundle to the system CA store without the
> user consent is dangerous and will likely in some cases suddenly make
> transfers go through that otherwise would be rejected. Or vice versa. Contrary
> to what the user wants.
Yes, 100% agree. This is precisely why we want our curl build for
Windows to use the system CA store, regardless of which
CURL_SSL_BACKEND is picked at runtime. Currently it uses Windows CA
for Schannel (the default) but when the user sets
CURL_SSL_BACKEND=openssl, it uses CURL_CA_BUNDLE
I think that Windows is different from Linux distributions in what can
be considered the safe CA source. On Linux you may assume your distro
provides an up-to-date openssl and CA bundle. But on Windows, openssl
is usually statically linked in curl, and the OS does not provide an
official CA pem bundle. The application needs to ship some CA.pem
which does not receive updates from MS. Only the native Windows CA
store receives automatic (critical) windows updates.
Either way, just explaining my suggestion but I completely understand
your point. We will just handle this in the bindings.
Thanks!
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-10-18