18

I have a command line application that is using the libcurl-4 dll's, and currently I can get everything to work by placing my CA certs in my working directory and passing their names to the CUTLOPT_CAINFO and CURLOPT_SSLCERT with ./ prefix to their names.

But, what I am working on is getting cURL to not use what is in the current directory and instead use the certs that are stored in my computer system store.

From reading cURL's documentation I understand that if you configure it without giving a specified default ca-bundle or ca-path that it will "auto-detect a setting".

And that the CURLOPT_CAINFO is by default set to "built-in system specific"

So can anyone help me understand:

  1. if nothing is specified at configure time with curl, is the default path it detects the system store? Or does curl use its own path for a system store?

  2. what value do you give curl_easy_setopt(m_curlHandle, CURLOPT_CAINFO, <value>) to make CURLOPT_CAINFO go use its default value?

Any help is appreciated as I am still learning how this all works.

Thank you.

Benjamin Loison
  • 3,782
  • 4
  • 16
  • 33
Cody Pritchard
  • 635
  • 1
  • 9
  • 28

2 Answers2

20

OpenSSL does not support using the "CA certificate store" that Windows has on its own. If you want your curl build to use that cert store, you need to rebuild curl to use the schannel backend instead (aka "winssl"), which is the Windows native version that also uses the Windows cert store by default.

If you decide to keep using OpenSSL, you simple must provide CA certs in either a PEM file or a specially crafted directory as Windows doesn't provide its system store using that format you either have to get a suitable store from somewhere or figure out how to convert the Windows cert store to PEM format.

Update

Starting with libcurl 7.71.0, due to ship on June 24, 2020, it will get the ability to use the Windows CA cert store when built to use OpenSSL. You then need to use the CURLOPT_SSL_OPTIONS option and set the correct bit in the bitmask: CURLSSLOPT_NATIVE_CA.

Starting with curl 8.2.0 (July 19 2023) (issue), there is the option --ca-native

xnumad
  • 5
  • 3
Daniel Stenberg
  • 54,736
  • 17
  • 146
  • 222
  • 1
    Yes, thank you for the help. Later yesterday i discovered that OpenSSL does not support the system store and have since built cURL to use winssl. However, i am now having problems with the SSL/TLS handshake and receiving http error 35. After reading through the schannel.c file, I stumbled across what I think is the issue with schannel not wanting to send the client certificate. ( see line 495 ) – Cody Pritchard Jun 01 '16 at 20:17
  • Is this still the same in 2018? OpenSSL can't access the windows Certificate store? That sounds ridiculous – user1618465 Jul 20 '18 at 00:31
  • I believe it is still true, yes. – Daniel Stenberg Jul 20 '18 at 13:38
  • 2
    libcurl with the winssl / schannel backend works out of the box with the Windows certificate store with "Git for Windows" (see https://stackoverflow.com/questions/16668508/how-do-i-configure-git-to-trust-certificates-from-the-windows-certificate-store). However, I don't know how and if you can configure the ssl backend on the commandline executable. – schlamar Sep 04 '19 at 12:13
  • Seems to be included in Windows 10 since April 2018. – JPBlanc May 07 '20 at 05:06
  • Thanks for adding the update <3 – aatwo Nov 16 '21 at 17:14
4

Since April 2018, for those of you who want to download a file using the Windows command line, you can use the Curl.exe executable. From Windows 10 build 17063 and later, Curl is included, so that you can execute it directly from Cmd.exe or PowerShell.exe.

curl.exe -V
curl 7.55.1 (Windows) libcurl/7.55.1 WinSSL
Release-Date: [unreleased]
Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL

Be careful using PowerShell the Cmdlet Invoke-WebRequest is aliased with name curl, so unalias this CmdLet (Remove-item alias:curl) or explicitly use curl.exe.

As far as I understand, curl.exe is built with Schannel (Microsoft's native TLS engine), then libcurl still perform peer certificate verification, but instead of using a CA cert bundle, it uses the certificates that are built into the OS.

curl.exe  "https://www.7-zip.org/a/7z1805-x64.exe"  --output c:\temp\7zip.exe
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1404k  100 1404k    0     0  1404k      0  0:00:01 --:--:--  0:00:01 9002k
JPBlanc
  • 70,406
  • 17
  • 130
  • 175