I have built libcurl for Windows x64 with OpenSSL. If I specify the CA Info with the libcurl command as shown below I am able to post my data via https.
curl_easy_setopt(curl_handle, CURLOPT_CAINFO, "C:\\\\cacert.pem");
My question is regards to option 3 under the heading “Certificate Verification” found here: https://curl.haxx.se/docs/sslcerts.html
3) Add the CA cert for your server to the existing default CA certificate store. The default CA certificate store can changed at compile time with the following configure options:
--with-ca-bundle=FILE: use the specified file as CA certificate store. CA certificates need to be concatenated in PEM format into this file.
--with-ca-path=PATH: use the specified path as CA certificate store. CA certificates need to be stored as individual PEM files in this directory. You may need to run c_rehash after adding files there.
Do these settings only apply to command line or can libcurl be configured at compile time to always use the same CA info?
Thanks!
Do these settings only apply to command line or can libcurl be configured at compile time to always use the same CA info?
cURL has the same settings for compile time. More accurately, they are Autotools options.
curl-7.57.0$ ./configure --help
`configure' configures curl - to adapt to many kinds of systems.
Usage: ./configure [OPTION]... [VAR=VALUE]...
...
--with-ca-bundle=FILE Path to a file containing CA certificates (example:
/etc/ca-bundle.crt)
--without-ca-bundle Don't use a default CA bundle
--with-ca-path=DIRECTORY
Path to a directory containing CA certificates
stored individually, with their filenames in a hash
format. This option can be used with OpenSSL, GnuTLS
and PolarSSL backends. Refer to OpenSSL c_rehash for
details. (example: /etc/certificates)
--without-ca-path Don't use a default CA path
--with-ca-fallback Use the built in CA store of the SSL library
--without-ca-fallback Don't use the built in CA store of the SSL library
I build cURL on occasion for testing on older systems like CentOS 5. I find it is easiest to download an updated cacert.pem
, and then use --with-ca-bundle
.
If you want to use --with-ca-path
, then that is the one where each certificate is hashed. So you will have a directory with 120 or 150 files in it. The files will have names like NNNNNNNN.0
, NNNNNNNN.1
and so on. NNNNNNNN
will be a hash, and collisions are resolved by incrementing the suffix.
I keep my script for building cURL online at Build-Scripts | build-curl.sh .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.