curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Get for CURLOPT_CAINFO, CURLOPT_CAPTH?

From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 26 Mar 2020 17:35:06 +0100 (CET)

On Thu, 26 Mar 2020, Timothe Litt wrote:

> The man page for the curl command says that the command line version of curl
> pays attention to environment variables CURL_CA_BUNDLE (oddly, there's no
> mention of a CURL_CA_PATH variable...)

Why is that odd? It's decision to support the bundle with an environment
variable. The directory approach is a mostly legacy and OpenSSL-centric thing
that has less use in a world with a wide variety of TLS backends.

> Is that unique to the command line, or does libcurl do all or some of the
> work?

That's command line tool logic. It explictly says "If you're using the curl
command line tool" ...

> https://curl.haxx.se/docs/sslcerts.html isn't quite clear on what the
> library alone does.  I read it as the library does not look at anything
> except what is set explicitly by curl_easy_setopt(),  the built in default,
> or the library's default - in that order of preference.  But the description
> intermixes the library and command tool so it's difficult to follow.

If you can think ways to improve that document/language, please suggest!

> Also, Item 2 on that page is somewhat confusing - for the command line, it
> suggests --cacert (which is a bundle - maybe just the one cert).  But for
> the library, it suggests setting CURLOPT_CAPATH (which is a directory - in
> which, modulo hashing, you could ADD the one cert). 

That appears like an oversight. I think it should rather mention
CURLOPT_CAINFO.

> I'm going to send the version_info values back into curl as well as the
> other library (with my own override mechanism), so it doesn't make a
> difference for me.  But you might consider something like a table for
> the page - one for the command tool's behavior/options, and one for the
> libraries...

There are also many more combinations than just tool vs library, like Windows
vs non-Windows and OpenSSL vs non-OpenSSL vs NSS etc. Also, tables are tricky
in text/markdown.

-- 
  / daniel.haxx.se | Commercial curl support up to 24x7 is available!
                   | Private help, bug fixes, support, ports, new features
                   | https://www.wolfssl.com/contact/

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-03-26