cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: CURL_CA_BUNDLE and my confusion - need some feedback

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sat, 27 Jan 2007 22:42:00 +0100 (CET)

On Sat, 27 Jan 2007, Guenter Knauf wrote:

> I've the problem that ca-bundle.h is missing in CVS while it is present in
> releases.

Why is that a problem? Lots of stuff is missing in CVS but need to be
generated locally before you can do a proper build.

> just when I built the releases I didnt get the expected result cause the
> ca-bundle.h was already there - but empty, and therefore no define of
> CURL_CA_BUNDLE at all.

Let's take a few steps back here.

The define CURL_CA_BUNDLE is used within libcurl as the full path name of the
default system-level CA cert bundle. In configure-using system, it is decided
when configure is run and it is installed there with 'make install'.

In Windows for example, we have no "make install" and there typically is no
notion of a system-level CA cert bundle at all. Hence, we don't define
CURL_CA_BUNDLE at all but instead the app needs to set the path to it.

> So I digged a _little_ bit through the code, and found that in curl's main.c
> there's already some other code which does what I would propose should also
> happen in the lib code....

Yes, and that's exactly due to this: since there is no system-level CA cert
the application needs to tell where it is and we came up with a way we think
is suitable in the command line tool.

> CURL_EXTERN CURLcode curl_set_ca_bundle(char* cert_path);

How does this differ from what CURLOPT_CAINFO already offers?

> CURL_EXTERN char *curl_get_ca_bundle(void);
>
> this should return the current curl-ca-bundle.crt path if already set, or
> else check as it is currently done in main.c, and if that doesnt return
> something useful then finally use the hardcoded compile-time define if
> present.

I agree that there might perhaps be interesting for some applications to
figure out what CA cert path libcurl defaults to. But I would rather see that
request from someone actually developing an application where this is actually
wanted, rather than us speculating that this might be interesting to someone
sometime.

> if that's all nonsense what I propose then please forgive - then I would
> like to propose as second choice that we add a simple ca-bundle.h to CVS
> which is then always present:
> /* simple ca-bundle.h */

> #ifndef CURL_CA_BUNDLE
> #define CURL_CA_BUNDLE getenv("CURL_CA_BUNDLE")
> #endif

What would the purpose of this be? Who would cheer and what good stuff would
thet get out it?

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html

Received on 2007-01-27

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: Command channel hangs after upload."
Previous message: Daniel Stenberg: "Re: Persistent HTTPS connections"
In reply to: Guenter Knauf: "CURL_CA_BUNDLE and my confusion - need some feedback"
Next in thread: Daniel Stenberg: "Re: CURL_CA_BUNDLE and my confusion - need some feedback"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]