curl-library
Re: Allow empty CURLOPT_CAINFO when there is a valid CURLOPT_CAPATH
Date: Wed, 27 Feb 2019 22:11:34 -0500
On 2/27/2019 7:11 PM, Alex Khouderchah via curl-library wrote:
>
> It seems like CURLOPT_CAINFO is always required to refer to a valid
> cert file (when we're actually verifying certs), whereas
> CURLOPT_CAPATH is allowed to be empty or refer to a non-existent
> directory. I'm unclear why this asymmetry exists. Is there a reason
> why CURLOPT_CAINFO shouldn't be allowed to be empty/invalid if
> CURLOPT_CAPATH is valid?
It's probably SSL backend specific, which one are you using? I'm using
OpenSSL and get an error with valid CAINFO but empty CAPATH, and the
other way around. SSL_CTX_load_verify_locations [1][2] is called and
AFAICS there's no logic in libcurl to filter what is passed to that
function.
curl 7.64.1-DEV (i386-pc-win32) libcurl/7.64.1-DEV OpenSSL/1.0.2r
nghttp2/1.36.0
[1]:
https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html
[2]: https://github.com/curl/curl/blob/curl-7_64_0/lib/vtls/openssl.c#L2598
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-02-28