On Sat, May 28, 2022 at 7:20 AM Arrigo Marchiori <ard...@yahoo.it.invalid> wrote:
> > Apparently, we are not. If we force CURLOPT_CAINFO and CURLOPT_CAPATH > to be NULL, we get a bit further but eventually Curl aborts because > validateServerX509Certificate fails. > > Sorry to resurrect an old thread, but I think I now understand how this crash happens. So I always thought it was OpenSSL doing something wrong with the certificates, but then in Curl's configure.ac, close to the end of the file, there is the following: ---snip--- ca cert bundle: ${ca}${ca_warning} ca cert path: ${capath}${capath_warning} ca fallback: ${with_ca_fallback} ---snip--- which apparently comes from: ---snip--- dnl ********************************************************************** dnl Check for the CA bundle dnl ********************************************************************** if test -n "$check_for_ca_bundle"; then CURL_CHECK_CA_BUNDLE fi ---snip--- and in Curl's acinclude.m4 we see that the CURL_CHECK_CA_BUNDLE function uses a number of options, distro-specific search paths, etc. This would also explain why system Curl always worked perfectly for me on FreeBSD - the Port already built it with --with-ca-bundle="${LOCALBASE}/share/certs/ca-root-nss.crt". Now presumably things go wrong when Curl is using a bad path to the CA bundle, because either it detected the path wrong during ./configure, or it's running on a different distro. So we should either build our Curl with the --without-ca-bundle --without-ca-path --without-ca-fallback options, or disable use of those settings at runtime. I prefer doing it at runtime, to be on the safe side. I have a patch ready, but I am now unsure about other issues. If we are going to use our own certificate validation instead of OpenSSL's, shouldn't we use SSL_CTX_set_cert_verify_callback() which completely replaces OpenSSL's verification, instead of SSL_CTX_set_verify() which just allows us to override its result on each certificate? Also what steps does OpenSSL follow? We have a page on our Wiki ( https://wiki.openoffice.org/wiki/Certificate_Path_Validation) with proposed certificate validation requirements, and also need to confirm what OpenSSL does, and whether it does the more elaborate checks like connecting to OCSP and CRL servers to verify revocation status. If not, we'd have to develop that ourselves. Regards Damjan