I am developing a C ++ application (cross-platform, Windows, Mac and Linux) that should safely communicate with servers using the https protocol with libcurl (built using winssl / darwinssl / openssl on Windows / Mac / Linux respectively). I changed the curl parameter, CURLOPT_SSL_VERIFYPEER from 0 to 1 , which should help prevent MitM problems.
This caused problems due to the fact that the initial search indicates that this option is disabled, but after deepening I found:
Obtain a CA certificate that can be verified by a remote server and use the appropriate option to specify this CA certificate for verification at connection. For hackers-libcurl hackers: curl_easy_setopt(curl, CURLOPT_CAPATH, capath); from curl docs
and
Get the best / new / new CA certificate package! One option is to extract the one that uses the latest Firefox browser by running "make ca-bundle" in the root of the curl tree tree, or possibly downloading the version that was generated this way for you. from curl docs
I really use CURLOPT_CAINFO for the package, as I saw some problems using CURLOPT_CAPATH on Windows; curl docs . I downloaded and installed this package along with the application on Windows and Mac, and I would like to know if this is the right thing to do or if there is more good practice.
This initially caused problems for application users working on some corporate networks or a proxy server, which seemed to be fixed by creating libcurl against winssl instead of openssl on Windows; although potentially disguised as a firewall problem, it is still unclear, although it seems likely.
Sorry for the length.
Is it not silly to install ca-cert-bundle.crt together with the application, and is there something that needs to be done differently in order to safely communicate with the server from this installed application?
A slightly separate but still very related problem: I have CURLOPT_CAINFO on Linux giving an error:
error setting certificate verify locations: CAfile: ../share/my_application/curl-ca-bundle.crt CApath: none
Although the attempt to open the file for reading from the application works successfully. Edit:. This problem was resolved by NOT setting the CURLOPT_CAINFO field on Linux (leaving it blank) and adding the ca-certificates dependency package to the application package. The default path is correct /etc/ssl/certs/ca-certificates.crt and seems to work. For me, this is a little better than installing a package with an application.
Edit2:. Although he decided that the ca-certificate package sometimes does not install ca-certificates.crt, and instead of ca-bundle.crt, and the locations change on different distributions like this source, happyassassin.net shows that different Linux systems store CA packages in different places. It does not seem to have a clear answer to HOW to handle this . Should I use a value in the configuration file that the user can then change, or any other thoughts on this?
Edit 3: Some users have indicated that my name exists in one of the paths that looks for curls, I'm not quite sure how this is possible, since the only thing I pointed out for curls is where I built the openssl / cares libraries ...
I understand this is a busy / multi-part question, but it's all on the same subject as the headline, I would appreciate any help.
Thanks.