-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The curl-ca-bundle.crt file is ignored on Windows, except if CURL_CA_BUNDLE is set #1538
Comments
First, there is no 7.56.0 version. Please tell us the real version number. Then, you haven't told us exactly what you did that doesn't work so there's nothing here for us to explain, fix or otherwise act on. Please include all necessary details in your report here instead of referring to other web pages - lots of us read and work on these issues via mail. |
Sorry, quick fingers and from memory. It's 7.54.0, and I did tell what I did. I put the curl-ca-bundle.crt in current, dir system's path and application dir but if you want to blame the messenger ... |
You seem to refer to the way the curl tool searches for |
It does, but only on Windows. See the function According to https://curl.haxx.se/docs/sslcerts.html , curl searches in:
|
The tool part of |
I can repeat the steps in the link I provided in first post but, yes, the program uses libcurl and fails because |
(Now it seems we've moved away from the topic of this issue?) That's normally an error message you get when the server doesn't ship its an intermediate certificate in the TLS handshake, and the reason you don't see the error in your favorite browser is because browsers A) cache intermediate certificate and B) some of them implement AIA which goes fetch the missing cert. libcurl does neither A nor B and not providing the intermediate cert is considered a flaw. One way to easily tell if this is the problem is to run the site through ssllabs ssl test. |
No, it's exactly the same issue. I will re-post here what's in the link in my first post.
|
So is there any remaining questions now? |
Well, yes two actually:
|
The ca cert search thing is not a bug as I already explained. The search for the CA cert file that the curl command line tool does is a feature of the curl command line tool and not of the libcurl library. You can of course easily add that search yourself in your application if you want to mimic what curl does. I suppose we could view it as a documentation bug if the documentation isn't clear enough in specifying the distinction between what the curl tool does for this and what the library does. We could possibly discuss adding that feature to the library, but that's a slightly different take on the subject. I'm not convinced this is a good thing for the library to do, at least not unconditionally. The |
Ok, good that we agree that it is a documentation fault, which was the base for me to submit this as a bug report. Regarding future improvements I'm certainly not aware of the details an job difficulties but if the same sort of command work on linux I (and other that will cross with this behavior) was certainly expecting that it worked similarly on Windows, even if under certain conditions. |
It says command line tool twice. What else can we do to emphasize that? |
Which in fact also works when using the libcurl library so not so unreasonable to expect the same applied to the CA certificate. |
That's a specific behavior only in some builds (those that defined |
When this define was set, libcurl would check the environment variable named CURL_CA_BUNDLE at run-time and use that CA cert bundle. This feature was only defined by the watcom and m32 makefiles and caused inconsistent behaviours among libcurls built on different platforms. The curl tool does already feature its own similar logic and the library does not really need it, and it isn't documented libcurl behavior. So this change removes it. Ref: #1538
OK, let me summarize
Conclusion, since 3. is a lack of consistency let's remove it and make the command fail too. Than it will work on Linux and fail on Windows. Consistency above all.. |
It doesn't "work on windows" in a generic sense. It works only for a small subset of Windows builds. The ones that happen to use one of those makefiles that had this enabled. If you want your tool to accept the |
GDAL is not "my tool" it's a library used by really many programs, among them one in which I participate. |
How does that make any difference? I would imagine that users of the GDAL library would appreciate a single and documented way on how to override/set which CA cert to use. If said method should be "use an environment variable", then the GDAL library should get that environment variable and pass it to libcurl as explained. If it would use another method, like perhaps an option or config file or similar, then it should get the path that way and pass it to libcurl... |
Nobody here is responsible for that library, it is up to them to correctly set up the SSL usage. You happened to have found out that I installed GDAL using gdal-201-1600-x64-core.msi and confirm the same problem. Using process monitor I can see no attempt is made to access the curl-ca-bundle.crt that is included in the same directory, or any for that matter (ie no unusual 'name not found' or 'no file's). If they want to search directories including the app directory for curl-ca-bundle.crt they can use Windows API function |
…ows. See curl/curl#1538 git-svn-id: https://svn.osgeo.org/gdal/trunk/gdal@38903 f0d54148-0727-0410-94bb-9a71ac55c965
…ows. See curl/curl#1538 git-svn-id: https://svn.osgeo.org/gdal/trunk@38903 f0d54148-0727-0410-94bb-9a71ac55c965
When this define was set, libcurl would check the environment variable named CURL_CA_BUNDLE at run-time and use that CA cert bundle. This feature was only defined by the watcom and m32 makefiles and caused inconsistent behaviours among libcurls built on different platforms. The curl tool does already feature its own similar logic and the library does not really need it, and it isn't documented libcurl behavior. So this change removes it. Ref: #1538
What is still not clear to me is why the certificate verification works on unix systems (actually I tested on Ubuntu and Mac OS) while it is not working by default on Windows. Is curl using some system CA list on unix while it fails to do the same on Windows? I just want ot understand better to avoid bad assumptions in my code. Thanks |
@kalosma this is an old BUG REPORT. Your added questions will not be answered here. If you experience a bug with the latest curl version, file a new bug. If you have a question about the curl tool, ask on the curl-users mailing list. Thanks! |
I did this
Put the
curl-ca-bundle.crt
file in the several places mentioned in hereI expected the following
that it woks, but it doesn't. Only if the
CURL_CA_BUNDLE
ENV variable is setSee here for more details
curl/libcurl version
7.56.0
operating system
Win10 64 bits
The text was updated successfully, but these errors were encountered: