curl / Mailing Lists / curl-library / Single Mail


Re: A first proposal patch for using Windows certificate store when compiling with openssl

From: Daniel Stenberg via curl-library <>
Date: Sun, 9 Sep 2018 23:25:31 +0200 (CEST)

On Sun, 9 Sep 2018, Gilles Vollant via curl-library wrote:

Exellent start. Thanks!

> - Is the #if defined(HAVE_WINDOWS_H) test good to decide include
> Wincrypt.h and this code? Or another macro?

The typical way would be:

  #include <Wincrypt.h>

... and make sure HAVE_WINCRYPT_H is defined accordingly when that header is
checked or known to exist.

But how to best define that, is a little beyond me. Can we just check for what
OS version we build against or do we need configure/cmake to check for it?
(the latter then makes winbuilds more complicated)

> - And if both HAVE_WINDOWS_H (or alternate macro) and
> CURL_CA_FALLBACK are defined ?

You're adding a new way to set which CA store to use when verifying the
server's certificates so I would say defining how it works in assocation and
in combination with other existing options is a big part of that.

This said, if you ask to use the Windows native CA store I don't think it
should fallback to an external one unless that is explicitly asked for. Either
way, it needs to be documented.

> + #pragma comment(lib, "crypt32.lib")

I'm pretty sure this is an MSVCism that you can't use generically. You need to
write your makefile/cmake/etc to make sure it links with the right libs.
Remember that we have people building curl with several other compilers too,
most commonly mingw.

> ! if ((!ssl_cafile) && (!ssl_capath)) {

I'm curious if this way of selecting the native CA store is really what people
would like. It is very obscure and when reading code you can't tell if it'll
use the Windows CA store or not unless you also know which libcurl version
that runs...

Would it make more sense to use a magic value for cafile for example? For
example CURL_WINDOWS_CA_STORE (which then could be a defined string that is
totally unlikely to ever be used for a PEM ca store file name on windows. Like
" .. wincastore" or something.

Received on 2018-09-09