On 22.03.2019 at 19:34 Ray Satiro via curl-library wrote: > Doesn't android have /system/etc/security/cacerts and will that work as > capath instead of using the bundle as cainfo?
Ok, after Luca's mail I tried it and it's indeed possible to access /system/etc/security/cacerts and read all the certificate files from there. But, setting CURLOPT_CAPATH to /system/etc/security/cacerts doesn't work with OpenSSL 1.x because apparently, the names of the individual certificates in that directory use an MD5 hash while OpenSSL 1.x expects an SHA1 hash. People have discussed this here: https://stackoverflow.com/questions/25253823/how-to-make-ssl-peer-verify-work-on-android https://stackoverflow.com/questions/26935662/openssl-1-0-2-to-read-md5-ca-certificates People have suggested that one should just concat all the individual certificate files from /system/etc/security/cacerts into a single file and set that using CURLOPT_CAINFO but I think it's a better idea to use a recent cacert.pem from curl's homepage and hard-code it into the curl build using --with-ca-bundle because all the solutions suggested above make lots of assumptions that might not work in future Android versions... -- Best regards, Andreas Falkenhahn mailto:andr...@falkenhahn.com ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
