Re: Get for CURLOPT_CAINFO, CURLOPT_CAPTH?

Thu, 26 Mar 2020 09:44:22 -0700 

On Thu, 26 Mar 2020, Timothe Litt wrote:
The man page for the curl command says that the command line version of curl pays attention to environment variables CURL_CA_BUNDLE (oddly, there's no mention of a CURL_CA_PATH variable...) 


Why is that odd? It's decision to support the bundle with an environment 
variable. The directory approach is a mostly legacy and OpenSSL-centric thing 
that has less use in a world with a wide variety of TLS backends.



Is that unique to the command line, or does libcurl do all or some of the 
work?



That's command line tool logic. It explictly says "If you're using the curl 
command line tool" ...



https://curl.haxx.se/docs/sslcerts.html isn't quite clear on what the 
library alone does.  I read it as the library does not look at anything 
except what is set explicitly by curl_easy_setopt(),  the built in default, 
or the library's default - in that order of preference.  But the description 
intermixes the library and command tool so it's difficult to follow.


If you can think ways to improve that document/language, please suggest!


Also, Item 2 on that page is somewhat confusing - for the command line, it 
suggests --cacert (which is a bundle - maybe just the one cert).  But for 
the library, it suggests setting CURLOPT_CAPATH (which is a directory - in 
which, modulo hashing, you could ADD the one cert). 



That appears like an oversight. I think it should rather mention 
CURLOPT_CAINFO.



I'm going to send the version_info values back into curl as well as the
other library (with my own override mechanism), so it doesn't make a
difference for me.  But you might consider something like a table for
the page - one for the command tool's behavior/options, and one for the
libraries...



There are also many more combinations than just tool vs library, like Windows 
vs non-Windows and OpenSSL vs non-OpenSSL vs NSS etc. Also, tables are tricky 
in text/markdown.


--

 / daniel.haxx.se | Commercial curl support up to 24x7 is available!
                  | Private help, bug fixes, support, ports, new features
                  | https://www.wolfssl.com/contact/
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html





















					Reply via email to