On 3/22/2019 10:12 AM, Andreas Falkenhahn via curl-library wrote: > When I use curl with the system's default SSL stack (e.g. DarwinSSL on macOS, > Schannel on Windows, pre-installed OpenSSL on Linux) I don't have to use > CURLOPT_CAINFO to tell curl which certificates to use at all. Instead, curl > will automatically use the certificates provided by the host operating system. > > This is different when statically linking curl against a custom build of > OpenSSL, e.g. on Android, where curl doesn't have access to any system > certificates. In that case I explicitly need to tell curl which certificates > to use by setting CURLOPT_CAINFO or it won't be able to connect. > > AFAICS, curl always provides a recent certificate store here: > https://curl.haxx.se/ca/cacert.pem > > But how am I supposed to deal with this in my application? Should I include > curl's cacert.pem in my application? But hard-coding a recent version of > curl's cacert.pem in my application would require me to update my application > whenever the cacert.pem provided by curl is updated - which is quite a hassle. > > So is there maybe an option to make curl automatically use the cacert.pem > provided on curl's homepage? I think that would be useful when linking curl > against custom builds of OpenSSL that don't have access to any certificate > store provided by the host operating system, e.g. on Android. > > Or is there any other recommended way of dealing with this problem?
Doesn't android have /system/etc/security/cacerts and will that work as capath instead of using the bundle as cainfo? ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
