8

I'm developing application in C++ (cross-platform; Windows, Mac and Linux) that needs to communicate securely with servers using https protocol with libcurl (built with winssl/darwinssl/openssl on Windows/Mac/Linux respectively). I've changed a curl option, CURLOPT_SSL_VERIFYPEER from 0 to 1 which should help prevent MitM issues.

This has caused issues that an initial search points to turning that option off, but after digging deeper I found:

Get a CA certificate that can verify the remote server and use the proper option to point out this CA cert for verification when connecting. For libcurl hackers: curl_easy_setopt(curl, CURLOPT_CAPATH, capath); from curl docs

and

Get a better/different/newer CA cert bundle! One option is to extract the one a recent Firefox browser uses by running 'make ca-bundle' in the curl build tree root, or possibly download a version that was generated this way for you. from curl docs

I actually use CURLOPT_CAINFO to the bundle as I had seen some word of issues using CURLOPT_CAPATH on Windows; curl docs. I have downloaded and installed this bundle along with the application on Windows and Mac and I'd like to know if this is the correct way to do it or if there is a better practice.

Initially this caused issues for users of the application running behind some corporate networks or proxy which seemed to get fixed by building libcurl against winssl instead of openssl on Windows; though potentially disguising itself as a firewall issue, still unclear although it seems likely.

Sorry for the length.

Is anything silly about installing the ca-cert-bundle.crt along with the application, and is there anything that should be done differently to communicate securely with the server from this installed application?

A slightly separate, but still very related, issue I have is CURLOPT_CAINFO on Linux giving the error:

error setting certificate verify locations: CAfile: ../share/my_application/curl-ca-bundle.crt CApath: none

Though attempting to open the file for reading from within the application does work successfully. Edit: This issue I solved by NOT setting the CURLOPT_CAINFO field on Linux (leaving it blank) and adding the dependency package ca-certificates to the application package. The default path is correctly /etc/ssl/certs/ca-certificates.crt and seems to be working. To me this feels a bit better than installing the bundle with the application.

Edit2: Although solved it appears the ca-certificates package sometimes doesn't install ca-certificates.crt and instead ca-bundle.crt and the locations vary on different distros as this source, happyassassin.net shows that different Linux systems store the CA bundles in different locations. It did not seem to have a clear answer as to HOW to handle this. Should I be using a value in the configuration file that the user can then modify, or any other thoughts on the subject?

Edit3: Some users have pointed out that my name exists in one of the paths curl looks for, I'm not entirely sure how that is possible as the only thing I've specified for curl is where I built openssl/cares libraries...

I realize this is a loaded/multipart question but it is all on the same subject as the title states, I'd appreciate any help.

Thanks.

Tim Beaudet
  • 791
  • 7
  • 16

2 Answers2

0

In my opinion, it is better to use system certificate then package certificates with application (if you are not using some special certs). For the linux it should be easy according to https://serverfault.com/questions/394815/how-to-update-curl-ca-bundle-on-redhat And for windows you can either use winssl or create the file from system https://superuser.com/questions/442793/why-cant-curl-properly-verify-a-certificate-on-windows Configure cURL to use default system cert store

Community
  • 1
  • 1
Anardael
  • 1
  • 1
  • I am currently using WinSSL on Windows, however my initial approach was identical to the superuser link you've provided, shipping the CA bundle with the application, something I felt was/is a little odd- it also resulted in errors on corporate networks; those seemed to have gone away, or changed to DNS/Firewall issue since the WinSSL change. On Linux the link you gave shows the specific location for Redhat and similar distros, but on Debian/Ubuntu the ca-certificates package seems to place them in a different location, and so setting CAPATH to one will miss the other. – Tim Beaudet Jan 11 '17 at 17:40
  • Probably you should leave it blank and it should take default CA path. But, it will not work for some distros (there are some bug reports in the net). So you will need to do some testing on different releases and use path accordingly... – Anardael Jan 26 '17 at 16:50
  • I actually do not specify the CA PATH on linux, so that is what -should- be happening, I see how my last comment made it seem like I set it, sorry I was just meaning to say using that option could work in one place but not another. – Tim Beaudet Jan 26 '17 at 17:48
0

A default libcurl build is setup to attempt to use the "right" CA bundle.

Linux

A libcurl built on Linux will scan and check where the CA store is located on your system and use that. If you install libcurl on a regular Linux distro, it should've been built to use the distro's "typical" CA store.

macOS

If you build libcurl for mac and tell it to use the Secure Transport backend, it will automatically use the macOS CA store. So will the default-installed curl and libcurls that come shipped bundled with macOS from Apple.

Windows

If you build libcurl for Windows to use Schannel (the windows TLS system) it will by default use the Windows CA store.

Other setups

If you deviate from these setups, you basically opt to not use the CA store that comes bundled in the operating system you're using. Then you need to handle and update the CA store yourself.

Daniel Stenberg
  • 54,736
  • 17
  • 146
  • 222