Michael Stahl via curl-library wrote: > On 20/02/2022 14.18, Cristian Rodríguez wrote:
>> You can add a trusted CA before the handshake takes place..so no. it >> is ot the case. > > this is not entirely satisfying. > > ideally we do not really want to be in the business of deciding for the user > which CAs they do or do not trust. > > we can easily make this decision Somebody Else's Problem on Windows and > macOS by using the system TLS stack, at least with curl. > > do you know if it's possible to initialize OpenSSL in such a way that it > reads a trust database from the operating system, and do that centrally > for the whole process? > > if we would need to patch 4 bundled libraries separately to get > this effect i would be rather sad. > > but this could be helpful, in case such a database can be conveniently > located on every distro... Seems that most distros use /etc/ssl/certs. You can also provide an openssl.cnf file to specify paths. > > i think we already have this with NSS by using NSS_InitReadWrite(). -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
