Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl_easy_setopt(curl, CURLOPT_CAPATH, path) with mbedtls returns CURLE_NOT_BUILT_IN #1877

SBKarr opened this issue Sep 8, 2017 · 4 comments


Copy link

SBKarr commented Sep 8, 2017

But curl uses mbedtls_x509_crt_parse_path in mbedtls backend, if ssl_capath was configured.

libcurl: 7.55.1 (13 Aug 2017)
mbedtls: 2.6.0
OS: Ubuntu 16.04

  curl version:     7.55.1
  Host setup:       x86_64-pc-linux-gnu
  Install prefix:   
  Compiler:         clang
  SSL support:      enabled (mbedTLS)
  SSH support:      no      (--with-libssh2)
  zlib support:     enabled
  GSS-API support:  no      (--with-gssapi)
  TLS-SRP support:  no      (--enable-tls-srp)
  resolver:         POSIX threaded
  IPv6 support:     enabled
  Unix sockets support: no      (--enable-unix-sockets)
  IDN support:      no      (--with-{libidn2,winidn})
  Build libcurl:    Shared=no, Static=yes
  Built-in manual:  no      (--enable-manual)
  --libcurl option: enabled (--disable-libcurl-option)
  Verbose errors:   no
  SSPI support:     no      (--enable-sspi)
  ca cert bundle:   no
  ca cert path:     no
  ca fallback:      no
  LDAP support:     no      (--enable-ldap / --with-ldap-lib / --with-lber-lib)
  LDAPS support:    no      (--enable-ldaps)
  RTSP support:     no      (--enable-rtsp)
  RTMP support:     no      (--with-librtmp)
  metalink support: no      (--with-libmetalink)
  PSL support:      no      (libpsl not found)
  HTTP2 support:    disabled (--with-nghttp2)

It just works if i define #define have_curlssl_ca_path 1 in mbedtls.h, but i think, it should be tested somehow.

@bagder bagder added the TLS label Sep 9, 2017
Copy link

bagder commented Sep 9, 2017

If curl_easy_setopt returns that, it is because the libcurl you're using was built totally without SSL support!


Copy link

jay commented Sep 10, 2017

This report may be legit, the mbedtls function is for ca path but that is disabled for some reason:


Lines 1042 to 1049 in a14f715

const struct Curl_ssl Curl_ssl_mbedtls = {
{ CURLSSLBACKEND_MBEDTLS, "mbedtls" }, /* info */
0, /* have_ca_path */
0, /* have_certinfo */
1, /* have_pinnedpubkey */
1, /* have_ssl_ctx */
0, /* support_https_proxy */

Doc says it's supported for PolarSSL but since contributors made mbedTLS code from that then I'd guess it should be supported for mbedTLS too.

/cc @dscho

Copy link

SBKarr commented Sep 10, 2017

I usually use ca bundle file with CURLOPT_CAINFO, it's ok for TLS (HTTPS, SMTPS. CURLOPT_SSL_VERIFYPEER, 1L, CURLOPT_SSL_VERIFYHOST, 2L) with same libcurl, that returns CURLE_NOT_BUILT_IN for CURLOPT_CAPATH.

It's also ok, if i build libcurl with #define have_curlssl_ca_path 1 in mbedtls.h 7.55.1.

So, i think it's have_ca_path problem, not USE_SSL problem.

jay added a commit that referenced this issue Sep 10, 2017
CA path processing was implemented when mbedtls.c was added to libcurl
in fe7590f, but it was never enabled.

Bug: #1877
Copy link

jay commented Sep 10, 2017

I see. It looks as though it's been like that since it was added. Thanks, landed in 64bb7ae.

@jay jay closed this as completed Sep 10, 2017
@lock lock bot locked as resolved and limited conversation to collaborators May 6, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

No branches or pull requests

3 participants