curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Get for CURLOPT_CAINFO, CURLOPT_CAPTH?

From: Timothe Litt <litt_at_acm.org>
Date: Thu, 26 Mar 2020 11:19:11 -0400

Thanks.  That looks good and will be very helpful.

The man page for the curl command says that the command line version of
curl pays attention to environment variables CURL_CA_BUNDLE (oddly,
there's no mention of a CURL_CA_PATH variable...), and for windows
searches for a ca-bundle.crt file. 

Is that unique to the command line, or does libcurl do all or some of
the work?  https://curl.haxx.se/docs/sslcerts.html isn't quite clear on
what the library alone does.  I read it as the library does not look at
anything except what is set explicitly by curl_easy_setopt(),  the built
in default, or the library's default - in that order of preference.  But
the description intermixes the library and command tool so it's
difficult to follow.

Also, Item 2 on that page is somewhat confusing - for the command line,
it suggests --cacert (which is
a bundle - maybe just the one cert).  But for the library, it suggests
setting CURLOPT_CAPATH (which is
a directory - in which, modulo hashing, you could ADD the one cert). 
These aren't equivalent.  --capath
would be the equivalent to CURLOPT_CAPATH.  Or CURLOPT_CAINFO would be
the equivalent of --cacert.

I'm going to send the version_info values back into curl as well as the
other library (with my own override mechanism), so it doesn't make a
difference for me.  But you might consider something like a table for
the page - one for the command tool's behavior/options, and one for the
libraries...

e.g.

HOWTO         Using the curl command         Using libcurl
-----------       ----------------------------------       
------------------
disable verification        -k/--insecure           
curl_easy_setopt(,CURLOPT_SSL_VERIFY_PEER,FALSE)
specify an alternate bundle --cacert            
curl_easy_setopt(,CURLOPT_CAINFO)
change the built-in default ...

...

Finally, you might want to update
https://curl.haxx.se/libcurl/c/CURLOPT_PROXY_CAINFO.html to mention that
the default is now accessible in curl_version_info_data.  (and as I just
discovered, in with curl-config --ca).

Thanks again for the quick response!

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.

On 26-Mar-20 08:07, Daniel Stenberg wrote:
> On Mon, 23 Mar 2020, Timothe Litt wrote:
>
>>> That seems reasonable indeed. You basically want CURL_CA_BUNDLE and
>>> CURL_CA_PATH exposed there, right?
>>>
>> Yes.  I only need the default (hard-coded, or what you get from
>> envvars or whereever) values before the application has done
>> anything.  But the active ones might help someone else.
>
> Have a look at this: https://github.com/curl/curl/pull/5150
>

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html

Received on 2020-03-26