Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
RE: -cacert behaves differently on Windows and Unix. Does this matter?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Rod Widdowson via curl-library <curl-library_at_lists.haxx.se>
Date: Sat, 10 May 2025 11:26:01 +0100
Thank you. That has helped me a great deal..
> It is not about Windows and Unix at all. It is about curl behaving slightly
> different depending on which TLS backend it is built with and told to use.
Absolutely, I was being sloppy. For the record I should state that I was enquiring specifically about the SChannel backend.
Having explicitly tested them I must confirm that on Windows, curl built against LibreSSL and curl built against OpenSSL both behave
as I (wrongly) ascribed to "Unix".
Your answer has allowed me to clarify my thoughts significantly.
Is this a fair statement:
"Opinions differ as to what is correct and curl delegates this behaviour to the SSL backend of your choice. Multiple backend are
available on multiple platforms and you should chose the one which fits your requirements and/or understanding of the spec".
I can work with that.
> > Additionally I'll observe that the curl code only ever inspects the first
> > cert chain presented. I don't know if this matters, but it would seem to
> > argue that cross signing certificates might be problematic.
>
> I don't believe that is generally true. We get countless of questions from
> people that get errors from curl when servers don't present their intermediate
> certificate - a quite common server setup mistake.
I'm sorry, I didn't explain myself clearly. I was referring not to the certificates in the chain presented to the client, but
rather the option (present at an API level) for a client to be presented with multiple chains. But let me poke at this in my
sandbox and if there is anything interesting we can discuss it in a PR which feels like a better place to be discussing such
minutae.
Thanks again
Rod
Date: Sat, 10 May 2025 11:26:01 +0100
Thank you. That has helped me a great deal..
> It is not about Windows and Unix at all. It is about curl behaving slightly
> different depending on which TLS backend it is built with and told to use.
Absolutely, I was being sloppy. For the record I should state that I was enquiring specifically about the SChannel backend.
Having explicitly tested them I must confirm that on Windows, curl built against LibreSSL and curl built against OpenSSL both behave
as I (wrongly) ascribed to "Unix".
Your answer has allowed me to clarify my thoughts significantly.
Is this a fair statement:
"Opinions differ as to what is correct and curl delegates this behaviour to the SSL backend of your choice. Multiple backend are
available on multiple platforms and you should chose the one which fits your requirements and/or understanding of the spec".
I can work with that.
> > Additionally I'll observe that the curl code only ever inspects the first
> > cert chain presented. I don't know if this matters, but it would seem to
> > argue that cross signing certificates might be problematic.
>
> I don't believe that is generally true. We get countless of questions from
> people that get errors from curl when servers don't present their intermediate
> certificate - a quite common server setup mistake.
I'm sorry, I didn't explain myself clearly. I was referring not to the certificates in the chain presented to the client, but
rather the option (present at an API level) for a client to be presented with multiple chains. But let me poke at this in my
sandbox and if there is anything interesting we can discuss it in a PR which feels like a better place to be discussing such
minutae.
Thanks again
Rod
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-05-10