在编译时为 libcurl 定义 CA 信息
Define CA Info at Compile Time for libcurl
我已经使用 OpenSSL 为 Windows x64 构建了 libcurl。如果我使用 libcurl 命令指定 CA 信息,如下所示,我可以通过 https post 我的数据。
curl_easy_setopt(curl_handle, CURLOPT_CAINFO, "C:\cacert.pem");
我的问题是关于“证书验证”标题下的选项 3:https://curl.haxx.se/docs/sslcerts.html
3) Add the CA cert for your server to the existing default CA certificate store. The default CA certificate store can changed at compile time with the following configure options:
--with-ca-bundle=FILE: use the specified file as CA certificate store. CA certificates need to be concatenated in PEM format into this file.
--with-ca-path=PATH: use the specified path as CA certificate store. CA certificates need to be stored as individual PEM files in this directory. You may need to run c_rehash after adding files there.
这些设置是否仅适用于命令行,或者是否可以在编译时将 libcurl 配置为始终使用相同的 CA 信息?
谢谢!
Do these settings only apply to command line or can libcurl be configured at compile time to always use the same CA info?
cURL 具有相同的编译时间设置。更准确地说,它们是 Autotools 选项。
curl-7.57.0$ ./configure --help
`configure' configures curl - to adapt to many kinds of systems.
Usage: ./configure [OPTION]... [VAR=VALUE]...
...
--with-ca-bundle=FILE Path to a file containing CA certificates (example:
/etc/ca-bundle.crt)
--without-ca-bundle Don't use a default CA bundle
--with-ca-path=DIRECTORY
Path to a directory containing CA certificates
stored individually, with their filenames in a hash
format. This option can be used with OpenSSL, GnuTLS
and PolarSSL backends. Refer to OpenSSL c_rehash for
details. (example: /etc/certificates)
--without-ca-path Don't use a default CA path
--with-ca-fallback Use the built in CA store of the SSL library
--without-ca-fallback Don't use the built in CA store of the SSL library
我偶尔构建 cURL 以在 CentOS 5 等较旧的系统上进行测试。我发现下载更新的 cacert.pem 然后使用 --with-ca-bundle.
是最简单的
如果您想使用 --with-ca-path,那么每个证书都经过哈希处理。因此,您将拥有一个包含 120 或 150 个文件的目录。这些文件的名称将类似于 NNNNNNNN.0、NNNNNNNN.1 等。 NNNNNNNN 将是一个散列,通过增加后缀来解决冲突。
我将用于在线构建 cURL 的脚本保存在 Build-Scripts | build-curl.sh。
我已经使用 OpenSSL 为 Windows x64 构建了 libcurl。如果我使用 libcurl 命令指定 CA 信息,如下所示,我可以通过 https post 我的数据。
curl_easy_setopt(curl_handle, CURLOPT_CAINFO, "C:\cacert.pem");
我的问题是关于“证书验证”标题下的选项 3:https://curl.haxx.se/docs/sslcerts.html
3) Add the CA cert for your server to the existing default CA certificate store. The default CA certificate store can changed at compile time with the following configure options:
--with-ca-bundle=FILE: use the specified file as CA certificate store. CA certificates need to be concatenated in PEM format into this file.
--with-ca-path=PATH: use the specified path as CA certificate store. CA certificates need to be stored as individual PEM files in this directory. You may need to run c_rehash after adding files there.
这些设置是否仅适用于命令行,或者是否可以在编译时将 libcurl 配置为始终使用相同的 CA 信息?
谢谢!
Do these settings only apply to command line or can libcurl be configured at compile time to always use the same CA info?
cURL 具有相同的编译时间设置。更准确地说,它们是 Autotools 选项。
curl-7.57.0$ ./configure --help
`configure' configures curl - to adapt to many kinds of systems.
Usage: ./configure [OPTION]... [VAR=VALUE]...
...
--with-ca-bundle=FILE Path to a file containing CA certificates (example:
/etc/ca-bundle.crt)
--without-ca-bundle Don't use a default CA bundle
--with-ca-path=DIRECTORY
Path to a directory containing CA certificates
stored individually, with their filenames in a hash
format. This option can be used with OpenSSL, GnuTLS
and PolarSSL backends. Refer to OpenSSL c_rehash for
details. (example: /etc/certificates)
--without-ca-path Don't use a default CA path
--with-ca-fallback Use the built in CA store of the SSL library
--without-ca-fallback Don't use the built in CA store of the SSL library
我偶尔构建 cURL 以在 CentOS 5 等较旧的系统上进行测试。我发现下载更新的 cacert.pem 然后使用 --with-ca-bundle.
如果您想使用 --with-ca-path,那么每个证书都经过哈希处理。因此,您将拥有一个包含 120 或 150 个文件的目录。这些文件的名称将类似于 NNNNNNNN.0、NNNNNNNN.1 等。 NNNNNNNN 将是一个散列,通过增加后缀来解决冲突。
我将用于在线构建 cURL 的脚本保存在 Build-Scripts | build-curl.sh。