Re: Get for CURLOPT_CAINFO, CURLOPT_CAPTH?
Date: Thu, 26 Mar 2020 11:19:11 -0400
Thanks. That looks good and will be very helpful.
The man page for the curl command says that the command line version of
curl pays attention to environment variables CURL_CA_BUNDLE (oddly,
there's no mention of a CURL_CA_PATH variable...), and for windows
searches for a ca-bundle.crt file.
Is that unique to the command line, or does libcurl do all or some of
the work? https://curl.haxx.se/docs/sslcerts.html isn't quite clear on
what the library alone does. I read it as the library does not look at
anything except what is set explicitly by curl_easy_setopt(), the built
in default, or the library's default - in that order of preference. But
the description intermixes the library and command tool so it's
difficult to follow.
Also, Item 2 on that page is somewhat confusing - for the command line,
it suggests --cacert (which is
a bundle - maybe just the one cert). But for the library, it suggests
setting CURLOPT_CAPATH (which is
a directory - in which, modulo hashing, you could ADD the one cert).
These aren't equivalent. --capath
would be the equivalent to CURLOPT_CAPATH. Or CURLOPT_CAINFO would be
the equivalent of --cacert.
I'm going to send the version_info values back into curl as well as the
other library (with my own override mechanism), so it doesn't make a
difference for me. But you might consider something like a table for
the page - one for the command tool's behavior/options, and one for the
HOWTO Using the curl command Using libcurl
disable verification -k/--insecure
specify an alternate bundle --cacert
change the built-in default ...
Finally, you might want to update
https://curl.haxx.se/libcurl/c/CURLOPT_PROXY_CAINFO.html to mention that
the default is now accessible in curl_version_info_data. (and as I just
discovered, in with curl-config --ca).
Thanks again for the quick response!
ACM Distinguished Engineer
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
On 26-Mar-20 08:07, Daniel Stenberg wrote:
> On Mon, 23 Mar 2020, Timothe Litt wrote:
>>> That seems reasonable indeed. You basically want CURL_CA_BUNDLE and
>>> CURL_CA_PATH exposed there, right?
>> Yes. I only need the default (hard-coded, or what you get from
>> envvars or whereever) values before the application has done
>> anything. But the active ones might help someone else.
> Have a look at this: https://github.com/curl/curl/pull/5150
- application/pgp-signature attachment: OpenPGP digital signature