On 3/22/19 3:12 PM, Andreas Falkenhahn via curl-library wrote:
When I use curl with the system's default SSL stack (e.g. DarwinSSL on macOS,
Schannel on Windows, pre-installed OpenSSL on Linux) I don't have to use
CURLOPT_CAINFO to tell curl which certificates to use at all. Instead, curl
will automatically use the certificates provided by the host operating system.
This is different when statically linking curl against a custom build of
OpenSSL, e.g. on Android, where curl doesn't have access to any system
certificates. In that case I explicitly need to tell curl which certificates to
use by setting CURLOPT_CAINFO or it won't be able to connect.
AFAICS, curl always provides a recent certificate store here:
https://curl.haxx.se/ca/cacert.pem
But how am I supposed to deal with this in my application? Should I include
curl's cacert.pem in my application? But hard-coding a recent version of curl's
cacert.pem in my application would require me to update my application whenever
the cacert.pem provided by curl is updated - which is quite a hassle.
So is there maybe an option to make curl automatically use the cacert.pem
provided on curl's homepage? I think that would be useful when linking curl
against custom builds of OpenSSL that don't have access to any certificate
store provided by the host operating system, e.g. on Android.
Or is there any other recommended way of dealing with this problem?
You can configure curl with option
--with-ca-bundle=/local/filepath/of/your/choice before compiling it and
download the cacert.pem file at this place on your target system. This
path will become the default when no CURLOPT_CAINFO setopt is issued.
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
