use openssl's built in verify path as fallback #569

Closed
wants to merge 4 commits into
from

Projects

None yet

3 participants

@lnussel
Contributor
lnussel commented Dec 18, 2015

adds the configure option as requested in #175

lnussel added some commits Mar 24, 2015
@lnussel lnussel use openssl's built in verify path as fallback
Trying to verify a peer without having any root CA certificates
registered won't work. So use openssl's built in default as
fallback.
169e605
@lnussel lnussel update docu wrt SSL CA certificate store 42290fd
@lnussel lnussel use gnutls' built in verify path as fallback
Trying to verify a peer without having any root CA certificates
registered won't work. So use gnutls' built in default as
fallback.
1c30c6b
@lnussel lnussel make CA fallback optional
c885cd4
@lnussel
Contributor
lnussel commented Dec 18, 2015

I have no idea what that windows failure is about

@gvanem
Contributor
gvanem commented Dec 18, 2015

@lnussel error C2020: 'connecting_state': 'struct' member redefinition

You mean the:

'connecting_state': 'struct' member redefinition

Seems like both USE_SCHANNEL and another SSL define is set. Hard to see which.
But IMHO urldata.h (or some other .h-file) should have tests and an #error for such a case.

@lnussel
Contributor
lnussel commented Dec 18, 2015

but that is unrelated to my change, right?

@gvanem
Contributor
gvanem commented Dec 18, 2015

@lnussel but that is unrelated to my change, right?

Probably. According to the AppVeyour, some error in the Windows setup 5 days ago. Before your change?

@bagder
Member
bagder commented Feb 4, 2016

I hear lots of other projects having problems with using openssl's default paths anyway since they are often not set correctly. Can you help us understand when exactly this feature will make an actual difference/improvement to users of libcurl?

@lnussel
Contributor
lnussel commented Feb 5, 2016

well, if 3rd parties bundle curl and want to build it in a way to be as independent as possible from weird issues in random operating systems then this change is not useful indeed. It is useful for Linux distributions though that know that their openssl resp gnutls is configured properly. That's why I added the explicit configure switch as requested.

@bagder bagder self-assigned this Feb 6, 2016
@bagder
Member
bagder commented Feb 6, 2016

Agreed. I mean to merge this immediately after the pending patch release.

@bagder bagder added a commit that closed this pull request Feb 8, 2016
@lnussel @bagder lnussel + bagder configure: --with-ca-fallback: use built-in TLS CA fallback
When trying to verify a peer without having any root CA certificates
set, this makes libcurl use the TLS library's built in default as
fallback.

Closes #569
7b55279
@bagder bagder closed this in 7b55279 Feb 8, 2016
@bagder
Member
bagder commented Feb 8, 2016

thanks!

@bagder bagder added the SSL/TLS label Feb 8, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment