1

We are using libcurl (7.3.6) in our application. API call for "Https URL" giving "curle_ssl_cacert error". I have been able to resolve this using 

    curl_easy_setopt(curl, CURLOPT_CAINFO, "PATH\\curl-ca-bundle.crt");

but we don't want to maintain this file in our application. Is there any way we can directly access from OS or from an alternative location?

stormForce
  • 86
  • 6
  • 1
    On Linux build libcurl with NSS support. On Windows build libcurl with schannel support and disable openssl. Look [here](https://curl.haxx.se/docs/sslcerts.html) for more details. – rustyx May 15 '19 at 13:21
  • If you're on macOS or Windows, you can build with the native TLS libraries and use their native cert stores. If you're on Linux, you need to use a separate CA cert file but your Linux distributions provide/update them... – Daniel Stenberg May 15 '19 at 22:22

1 Answers1

0

For Windows,

If you want to use windows own "CA certificate", You need to rebuild curl to with schannel backend instead(aka "winssl"). It will access from windows cert store by default. Openssl does not support to use windows system certificate on its own(see this answer), and must specify the certificate in PEM format, or set the default certificate when building libcurl with parameter --with-ca-bundle and --with-ca-path.

For Linux,

According to the document:

If libcurl was built with NSS support, then depending on the OS distribution, it is probably required to take some additional steps to use the system-wide CA cert db. RedHat ships with an additional module, libnsspem.so, which enables NSS to read the OpenSSL PEM CA bundle.

Drake Wu
  • 6,927
  • 1
  • 7
  • 30