Thanks. That looks good and will be very helpful. The man page for the curl command says that the command line version of curl pays attention to environment variables CURL_CA_BUNDLE (oddly, there's no mention of a CURL_CA_PATH variable...), and for windows searches for a ca-bundle.crt file.
Is that unique to the command line, or does libcurl do all or some of the work? https://curl.haxx.se/docs/sslcerts.html isn't quite clear on what the library alone does. I read it as the library does not look at anything except what is set explicitly by curl_easy_setopt(), the built in default, or the library's default - in that order of preference. But the description intermixes the library and command tool so it's difficult to follow. Also, Item 2 on that page is somewhat confusing - for the command line, it suggests --cacert (which is a bundle - maybe just the one cert). But for the library, it suggests setting CURLOPT_CAPATH (which is a directory - in which, modulo hashing, you could ADD the one cert). These aren't equivalent. --capath would be the equivalent to CURLOPT_CAPATH. Or CURLOPT_CAINFO would be the equivalent of --cacert. I'm going to send the version_info values back into curl as well as the other library (with my own override mechanism), so it doesn't make a difference for me. But you might consider something like a table for the page - one for the command tool's behavior/options, and one for the libraries... e.g. HOWTO Using the curl command Using libcurl ----------- ---------------------------------- ------------------ disable verification -k/--insecure curl_easy_setopt(,CURLOPT_SSL_VERIFY_PEER,FALSE) specify an alternate bundle --cacert curl_easy_setopt(,CURLOPT_CAINFO) change the built-in default ... ... Finally, you might want to update https://curl.haxx.se/libcurl/c/CURLOPT_PROXY_CAINFO.html to mention that the default is now accessible in curl_version_info_data. (and as I just discovered, in with curl-config --ca). Thanks again for the quick response! Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 26-Mar-20 08:07, Daniel Stenberg wrote: > On Mon, 23 Mar 2020, Timothe Litt wrote: > >>> That seems reasonable indeed. You basically want CURL_CA_BUNDLE and >>> CURL_CA_PATH exposed there, right? >>> >> Yes. I only need the default (hard-coded, or what you get from >> envvars or whereever) values before the application has done >> anything. But the active ones might help someone else. > > Have a look at this: https://github.com/curl/curl/pull/5150 >
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
