On Sun, 9 Sep 2018, Daniel Stenberg via curl-library wrote:
> #ifdef HAVE_WINCRYPT_H
> #include <Wincrypt.h>
> #endif

> + #pragma comment(lib, "crypt32.lib")
> I'm pretty sure this is an MSVCism
I agree this must not be used.

>> ! if ((!ssl_cafile) && (!ssl_capath)) {
> I'm curious if this way of selecting the native CA store is really what
people
> would like
> I'm curious if this way of selecting the native CA store is really what
people
>would like. It is very obscure and when reading code you can't tell if
it'll
> use the Windows CA store or not unless you also know which libcurl version

> that runs...
> Would it make more sense to use a magic value for cafile for example? For
> example CURL_WINDOWS_CA_STORE (which then could be a defined string that
is
> totally unlikely to ever be used for a PEM ca store file name on windows.
Like
> " .. wincastore" or something.

Here is my idea : if we provide cafile or capath, we have our custom
certificate store, so it replace using Windows store.
If we did not provide them, we cannot use curl with https without
--insecure. So using Windows certificate store is a good idea.

When we user WinSSL , we use Windows certificate store without asking
nothing.
Same thing with darwinssl.c and ios/osx keychain.

My idea is more using the Windows CA store, but add a macro to ignore my
modification.

Note : Openssl 1.1.1 with TLS 1.3 has been released. So having a Windows
executable of curl.exe which use it and Windows store without specifying
option can be great !!

Regards
Gilles Vollant

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-09-11