Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please consider --ca-native for OpenSSL by default on Windows #13444

Closed
Andarwinux opened this issue Apr 22, 2024 · 2 comments
Closed

Please consider --ca-native for OpenSSL by default on Windows #13444

Andarwinux opened this issue Apr 22, 2024 · 2 comments
Labels
feature-request TLS

Comments

@Andarwinux
Copy link

I did this

build openssl master with openssl/openssl#24218

build curl master with this openssl

I expected the following

Use https without bundled certificates or --ca-native.

If I build aria2 with the same openssl, it works as expected so it looks like curl is just overrided openssl default setting. If winstore becomes the default for openssl, then curl should do the same.

curl/libcurl version

curl 8.8.0-DEV (Windows) libcurl/8.8.0-DEV OpenSSL/3.4.0 zlib/1.3.1.zlib-ng brotli/1.1.0 zstd/1.5.6 c-ares/1.28.1 WinIDN libpsl/0.21.5 libssh/0.10.90/openssl/zlib nghttp2/1.61.90 nghttp3/1.2.90
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL SSPI threadsafe Unicode UnixSockets zstd

operating system

Linux wsl 5.15.137.3-microsoft-standard-WSL2+ #2 SMP Sun Dec 31 07:44:33 UTC 2023 x86_64 GNU/Linux
@bagder
Copy link
Member

bagder commented Apr 22, 2024

If winstore becomes the default for openssl, then curl should do the same.

First, I don't understand what that proposed change actually does.

Then: suddenly making curl use a completely different trust store is a major behavior change with a potentially huge security impact. It will not be done lightly and not without careful scrutiny, planning, communication and not the least a long time to first make sure everyone would be aware of such a switch. It cannot happen soon.

@bagder
Copy link
Member

bagder commented Apr 22, 2024

This description sounds as if you're asking for a new feature/change. We use this tracker for bugs and issues only, we put ideas to work on in the future in the TODO document. We basically drown in good ideas so they don't do much use in our tracker.

If you really want to see this happen, start working on an implementation and submit a PR for it or join the mailing list and talk up more interest for it and see what help from others you can get!

@curl curl locked and limited conversation to collaborators Apr 23, 2024
@bagder bagder converted this issue into discussion #13446 Apr 23, 2024

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
feature-request TLS
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bagder @Andarwinux