curl / Mailing Lists / curl-library / Single Mail

curl-library

RE: Using Windows certificate store when compiling with openssl

From: Hölzl, Dominik via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 13 Sep 2018 09:08:05 +0000

>
> > What about using the Windows certificate store ?
>
> I think it would be great to offer ability that to OpenSSL users on Windows.
>

For CA validation on Windows we use CURLOPT_SSL_CTX_FUNCTION / CURLopenssl_certverifycallback.
The implementation is a mixture of a Microsoft example (https://github.com/Microsoft/Windows-classic-samples/blob/master/Samples/Win7Samples/security/cryptoapi/BuildChain/CPP/BuildChain.cpp) and how Google Chrome performs CA validation (https://cs.chromium.org/chromium/src/net/cert/cert_verify_proc_win.cc).

On Linux we use the default behavior of OpenSSL (system certificate bundle file) as there is no other dedicated "system" store like on Windows and MacOS.

On MacOS we use SecureTransport which performs CA validation out oft he box.
I don't know how to do CA validation against the system Keychain with OpenSSL there.

Regards,
Dominik

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-09-13