curl_easy_setopt(curl, CURLOPT_CAPATH, path) with mbedtls returns CURLE_NOT_BUILT_IN #1877

SBKarr opened this Issue Sep 8, 2017 · 4 comments


None yet
3 participants

SBKarr commented Sep 8, 2017

But curl uses mbedtls_x509_crt_parse_path in mbedtls backend, if ssl_capath was configured.

libcurl: 7.55.1 (13 Aug 2017)
mbedtls: 2.6.0
OS: Ubuntu 16.04

  curl version:     7.55.1
  Host setup:       x86_64-pc-linux-gnu
  Install prefix:   
  Compiler:         clang
  SSL support:      enabled (mbedTLS)
  SSH support:      no      (--with-libssh2)
  zlib support:     enabled
  GSS-API support:  no      (--with-gssapi)
  TLS-SRP support:  no      (--enable-tls-srp)
  resolver:         POSIX threaded
  IPv6 support:     enabled
  Unix sockets support: no      (--enable-unix-sockets)
  IDN support:      no      (--with-{libidn2,winidn})
  Build libcurl:    Shared=no, Static=yes
  Built-in manual:  no      (--enable-manual)
  --libcurl option: enabled (--disable-libcurl-option)
  Verbose errors:   no
  SSPI support:     no      (--enable-sspi)
  ca cert bundle:   no
  ca cert path:     no
  ca fallback:      no
  LDAP support:     no      (--enable-ldap / --with-ldap-lib / --with-lber-lib)
  LDAPS support:    no      (--enable-ldaps)
  RTSP support:     no      (--enable-rtsp)
  RTMP support:     no      (--with-librtmp)
  metalink support: no      (--with-libmetalink)
  PSL support:      no      (libpsl not found)
  HTTP2 support:    disabled (--with-nghttp2)

It just works if i define #define have_curlssl_ca_path 1 in mbedtls.h, but i think, it should be tested somehow.

@bagder bagder added the SSL/TLS label Sep 9, 2017


bagder commented Sep 9, 2017

If curl_easy_setopt returns that, it is because the libcurl you're using was built totally without SSL support!



jay commented Sep 10, 2017

This report may be legit, the mbedtls function is for ca path but that is disabled for some reason:


Lines 1042 to 1049 in a14f715

const struct Curl_ssl Curl_ssl_mbedtls = {
{ CURLSSLBACKEND_MBEDTLS, "mbedtls" }, /* info */
0, /* have_ca_path */
0, /* have_certinfo */
1, /* have_pinnedpubkey */
1, /* have_ssl_ctx */
0, /* support_https_proxy */

Doc says it's supported for PolarSSL but since contributors made mbedTLS code from that then I'd guess it should be supported for mbedTLS too.

/cc @dscho

SBKarr commented Sep 10, 2017

I usually use ca bundle file with CURLOPT_CAINFO, it's ok for TLS (HTTPS, SMTPS. CURLOPT_SSL_VERIFYPEER, 1L, CURLOPT_SSL_VERIFYHOST, 2L) with same libcurl, that returns CURLE_NOT_BUILT_IN for CURLOPT_CAPATH.

It's also ok, if i build libcurl with #define have_curlssl_ca_path 1 in mbedtls.h 7.55.1.

So, i think it's have_ca_path problem, not USE_SSL problem.

jay added a commit that referenced this issue Sep 10, 2017

mbedtls: enable CA path processing
CA path processing was implemented when mbedtls.c was added to libcurl
in fe7590f, but it was never enabled.

Bug: #1877

jay commented Sep 10, 2017

I see. It looks as though it's been like that since it was added. Thanks, landed in 64bb7ae.

@jay jay closed this Sep 10, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment