Define CA Info at Compile Time for libcurl

Question

I have built libcurl for Windows x64 with OpenSSL. If I specify the CA Info with the libcurl command as shown below I am able to post my data via https.

curl_easy_setopt(curl_handle, CURLOPT_CAINFO, "C:\\\\cacert.pem");

My question is regards to option 3 under the heading “Certificate Verification” found here: https://curl.haxx.se/docs/sslcerts.html

3) Add the CA cert for your server to the existing default CA certificate store. The default CA certificate store can changed at compile time with the following configure options:

--with-ca-bundle=FILE: use the specified file as CA certificate store. CA certificates need to be concatenated in PEM format into this file.

--with-ca-path=PATH: use the specified path as CA certificate store. CA certificates need to be stored as individual PEM files in this directory. You may need to run c_rehash after adding files there.

Do these settings only apply to command line or can libcurl be configured at compile time to always use the same CA info?

Thanks!

Answer 1

Do these settings only apply to command line or can libcurl be configured at compile time to always use the same CA info?

cURL has the same settings for compile time. More accurately, they are Autotools options.

curl-7.57.0$ ./configure --help
`configure' configures curl - to adapt to many kinds of systems.

Usage: ./configure [OPTION]... [VAR=VALUE]...
...

  --with-ca-bundle=FILE   Path to a file containing CA certificates (example:
                          /etc/ca-bundle.crt)
  --without-ca-bundle     Don't use a default CA bundle
  --with-ca-path=DIRECTORY
                          Path to a directory containing CA certificates
                          stored individually, with their filenames in a hash
                          format. This option can be used with OpenSSL, GnuTLS
                          and PolarSSL backends. Refer to OpenSSL c_rehash for
                          details. (example: /etc/certificates)
  --without-ca-path       Don't use a default CA path
  --with-ca-fallback      Use the built in CA store of the SSL library
  --without-ca-fallback   Don't use the built in CA store of the SSL library

I build cURL on occasion for testing on older systems like CentOS 5. I find it is easiest to download an updated cacert.pem , and then use --with-ca-bundle .

If you want to use --with-ca-path , then that is the one where each certificate is hashed. So you will have a directory with 120 or 150 files in it. The files will have names like NNNNNNNN.0 , NNNNNNNN.1 and so on. NNNNNNNN will be a hash, and collisions are resolved by incrementing the suffix.

I keep my script for building cURL online at Build-Scripts | build-curl.sh .