On Sat, May 28, 2022 at 7:20 AM Arrigo Marchiori
wrote:
>
> Apparently, we are not. If we force CURLOPT_CAINFO and CURLOPT_CAPATH
> to be NULL, we get a bit further but eventually Curl aborts because
> validateServerX509Certificate fails.
>
>
Sorry to resurrect an old thread, but I think I now understand how this
crash happens.
So I always thought it was OpenSSL doing something wrong with the
certificates, but then in Curl's configure.ac, close to the end of the
file, there is the following:
---snip---
ca cert bundle: ${ca}${ca_warning}
ca cert path: ${capath}${capath_warning}
ca fallback: ${with_ca_fallback}
---snip---
which apparently comes from:
---snip---
dnl **
dnl Check for the CA bundle
dnl **
if test -n "$check_for_ca_bundle"; then
CURL_CHECK_CA_BUNDLE
fi
---snip---
and in Curl's acinclude.m4 we see that the CURL_CHECK_CA_BUNDLE function
uses a number of options, distro-specific search paths, etc.
This would also explain why system Curl always worked perfectly for me on
FreeBSD - the Port already built it with
--with-ca-bundle="${LOCALBASE}/share/certs/ca-root-nss.crt".
Now presumably things go wrong when Curl is using a bad path to the CA
bundle, because either it detected the path wrong during ./configure, or
it's running on a different distro.
So we should either build our Curl with the --without-ca-bundle
--without-ca-path --without-ca-fallback options, or disable use of those
settings at runtime. I prefer doing it at runtime, to be on the safe side.
I have a patch ready, but I am now unsure about other issues. If we are
going to use our own certificate validation instead of OpenSSL's, shouldn't
we use SSL_CTX_set_cert_verify_callback() which completely replaces
OpenSSL's verification, instead of SSL_CTX_set_verify() which just allows
us to override its result on each certificate? Also what steps does OpenSSL
follow? We have a page on our Wiki (
https://wiki.openoffice.org/wiki/Certificate_Path_Validation) with proposed
certificate validation requirements, and also need to confirm what OpenSSL
does, and whether it does the more elaborate checks like connecting to OCSP
and CRL servers to verify revocation status. If not, we'd have to develop
that ourselves.
Regards
Damjan
