Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: systematic loading of ca-certificates.crt
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Rainer Canavan via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 14 Feb 2025 17:50:31 +0100
On Fri, Feb 14, 2025 at 4:16 PM Sorin Manolache via curl-library
<curl-library_at_lists.haxx.se> wrote:
>
> Hello,
[...]
> I notice that /etc/ssl/certs/ca-certificates.crt is loaded every time I open a connection to a https URL.
>
[...]
> Is there a way to use libcurl such that the certificate store is cached and shared with a connection upon the connection's creation? ca-certificates.crt has about 270 kB and loading it every time we open an SSL connection has an impact on the connection time, especially in a multi-handle setup in which we could open tens of connections simultaneously.
If you're using OpenSSL as your backend, you can use a hashed
certificate directory instead of a single file by pointing
https://curl.se/libcurl/c/CURLOPT_CAPATH.html to just such a directory
if you OS distribution is not already doing that for you. You may have
to set CURLOPT_CAINFO explicitly to NULL, a file with a single
certificate or even an empty file, depending on how your curl /
openssl have been compiled to actually benefit from the hashed
CURLOPT_CAPATH directory.
Rainer
Date: Fri, 14 Feb 2025 17:50:31 +0100
On Fri, Feb 14, 2025 at 4:16 PM Sorin Manolache via curl-library
<curl-library_at_lists.haxx.se> wrote:
>
> Hello,
[...]
> I notice that /etc/ssl/certs/ca-certificates.crt is loaded every time I open a connection to a https URL.
>
[...]
> Is there a way to use libcurl such that the certificate store is cached and shared with a connection upon the connection's creation? ca-certificates.crt has about 270 kB and loading it every time we open an SSL connection has an impact on the connection time, especially in a multi-handle setup in which we could open tens of connections simultaneously.
If you're using OpenSSL as your backend, you can use a hashed
certificate directory instead of a single file by pointing
https://curl.se/libcurl/c/CURLOPT_CAPATH.html to just such a directory
if you OS distribution is not already doing that for you. You may have
to set CURLOPT_CAINFO explicitly to NULL, a file with a single
certificate or even an empty file, depending on how your curl /
openssl have been compiled to actually benefit from the hashed
CURLOPT_CAPATH directory.
Rainer
-- This email is confidential. If you are not the intended recipient, please delete it and notify us immediately by telephoning or e-mailing the sender. You should not copy it or use it for any purpose nor disclose its contents to any other person. -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-02-14