Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: A first proposal patch for using Windows certificate store when compiling with openssl

From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Sun, 9 Sep 2018 23:25:31 +0200 (CEST)

On Sun, 9 Sep 2018, Gilles Vollant via curl-library wrote:

Exellent start. Thanks!

> - Is the #if defined(HAVE_WINDOWS_H) test good to decide include
> Wincrypt.h and this code? Or another macro?

The typical way would be:

  #ifdef HAVE_WINCRYPT_H
  #include <Wincrypt.h>
  #endif

... and make sure HAVE_WINCRYPT_H is defined accordingly when that header is
checked or known to exist.

But how to best define that, is a little beyond me. Can we just check for what
OS version we build against or do we need configure/cmake to check for it?
(the latter then makes winbuilds more complicated)

> - And if both HAVE_WINDOWS_H (or alternate macro) and
> CURL_CA_FALLBACK are defined ?

You're adding a new way to set which CA store to use when verifying the
server's certificates so I would say defining how it works in assocation and
in combination with other existing options is a big part of that.

This said, if you ask to use the Windows native CA store I don't think it
should fallback to an external one unless that is explicitly asked for. Either
way, it needs to be documented.

> + #pragma comment(lib, "crypt32.lib")

I'm pretty sure this is an MSVCism that you can't use generically. You need to
write your makefile/cmake/etc to make sure it links with the right libs.
Remember that we have people building curl with several other compilers too,
most commonly mingw.

> ! if ((!ssl_cafile) && (!ssl_capath)) {

I'm curious if this way of selecting the native CA store is really what people
would like. It is very obscure and when reading code you can't tell if it'll
use the Windows CA store or not unless you also know which libcurl version
that runs...

Would it make more sense to use a magic value for cafile for example? For
example CURL_WINDOWS_CA_STORE (which then could be a defined string that is
totally unlikely to ever be used for a PEM ca store file name on windows. Like
" .. wincastore" or something. 

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2018-09-09