在Windows上配置cURL以使用默认系统证书存储 [英] Configure cURL to use default system cert store on Windows
问题描述
我有一个使用 libcurl-4 dll的命令行应用程序,当前我可以通过将我的CA证书放入工作目录并传递来使所有工作正常它们的名称分别为 CUTLOPT_CAINFO 和 CURLOPT_SSLCERT 并以开头的名称。/前缀他们的名字。
I have a command line application that is using the libcurl-4 dll's, and currently I can get everything to work by placing my CA certs in my working directory and passing their names to the CUTLOPT_CAINFO and CURLOPT_SSLCERT with ./ prefix to their names.
但是,我正在努力使cURL不使用当前目录中的内容,而是使用存储在我的计算机系统存储中的证书。
But, what I am working on is getting cURL to not use what is in the current directory and instead use the certs that are stored in my computers system store.
通过阅读cURL的文档,我了解到,如果您在不指定指定默认值 ca-bundle 或<$ c $的情况下进行配置, c> ca-path ,ti将自动检测设置。
From reading cURL's documentation I understand that if you configure it without giving a specified default ca-bundle or ca-path that ti will "auto-detect a setting".
并且 CURLOPT_CAINFO 默认情况下设置为特定于内置系统
And that the CURLOPT_CAINFO is by default set to "built-in system specific"
所以任何人都可以帮助我理解:
So can anyone help me understand:
-
如果在使用curl进行配置时未指定任何内容,它是检测系统存储的默认路径吗?还是curl使用自己的路径存储系统存储?
if nothing is specified at configure time with curl, is the default path it detects the system store? Or does curl use its own path for a system store?
您赋予 curl_easy_setopt(m_curlHandle,CURLOPT_CAINFO,*< value>)使 CURLOPT_CAINFO 使用其默认值?
what value do you give curl_easy_setopt(m_curlHandle, CURLOPT_CAINFO, *<value> ) to make CURLOPT_CAINFO go use its default value?
感谢任何帮助,因为我仍在学习所有方法。
Any help is appreciated as i am still learning how this all works.
谢谢。
推荐答案
OpenSSL不支持使用Windows自己拥有的 CA证书存储。如果要让curl构建使用该证书存储,则需要重建curl以使用schannel后端(也称为 winssl),它是Windows本机版本,默认情况下也使用Windows证书存储。
OpenSSL does not support using the "CA certificate store" that Windows has on its own. If you want your curl build to use that cert store, you need to rebuild curl to use the schannel backend instead (aka "winssl"), which is the Windows native version that also uses the Windows cert store by default.
如果您决定继续使用OpenSSL,则必须简单地在PEM文件或特制目录中提供CA证书,因为Windows不使用您拥有的格式提供其系统存储以便从某个地方找到合适的存储,或弄清楚如何将Windows证书存储转换为PEM格式。
If you decide to keep using OpenSSL, you simple must provide CA certs in either a PEM file or a specially crafted directory as Windows doesn't provide its system store using that format you either have to get a suitable store from somewhere or figure out how to convert the Windows cert store to PEM format.
从libcurl 7.71.0开始(将于2020年6月24日发布),在构建为使用OpenSSL时,它将能够使用Windows CA证书存储。然后,您需要使用 CURLOPT_SSL_OPTIONS 选项,并在位掩码中设置正确的位:CURLSSLOPT_NATIVE_CA。
Starting with libcurl 7.71.0, due to ship on June 24, 2020, it will get the ability to use the Windows CA cert store when built to use OpenSSL. You then need to use the CURLOPT_SSL_OPTIONS option and set the correct bit in the bitmask: CURLSSLOPT_NATIVE_CA.
这篇关于在Windows上配置cURL以使用默认系统证书存储的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
