Openssl support
whoshuu opened this issue · comments
Is this OpenSSL specific or are you talking about generic TLS support? I guess as user of curl, you should be able to abstract away from the TLS implementation used.
Yeah I should clarify that I want generic TLS support. The library client should probably not care what's used behind the scenes to do TLS, this is purely a build step detail.
That said, if I were to embed a particular TLS library, OpenSSL appears to be the way to go.
On Windows and OS X, you can configure cURL to simply use the OS-provided TLS stacks (Secure Channel, Secure Transport), which has multiple upsides to shipping OpenSSL or one of its forks:
- smaller binary size, because the library is already there
- no need to maintain/update the list of trusted root certificates, which is not included in OpenSSL
- no need to issue emergency patches of your app when the next security issue in the TLS library is found, because the OS vendor will do it
On Linux, you can feed the OS-provided trusted root certificates to cURL if you can find them. Here's where we look for them in Kullo:
https://github.com/kullo/client-httpclient-curl/blob/master/httpclient/cabundle.cpp
The CA bundle can then be fed to cURL using CURLOPT_CAINFO:
https://github.com/kullo/client-httpclient-curl/blob/master/httpclient/httpclientimpl.cpp#L137
FYI for people just looking to get a quick and dirty requests over SSL should be able to do so by linking against libCURL (compiled with OpenSSL).
Just add it to your cmake lists and executable:
find_package(CURL)
include_directories(${CURL_INCLUDE_DIRS})
target_link_libraries(exe ${CURL_LIBRARY})
is it currently possible to make connections via Oauth?
There are some options for SSL:
Not check SSL:
curl_easy_setopt(curl_, CURLOPT_SSL_VERIFYPEER, false);
curl_easy_setopt(curl_, CURLOPT_SSL_VERIFYHOST, false);
Self-signed serfiticate:
curl_easy_setopt(curl_,CURLOPT_SSLCERTTYPE,"DER");
curl_easy_setopt(curl_,CURLOPT_CAINFO, path_to_cert_.c_str());
curl_easy_setopt(curl_, CURLOPT_SSL_VERIFYPEER, true);
curl_easy_setopt(curl_, CURLOPT_SSL_VERIFYHOST, false);
Signed sertificate:
curl_easy_setopt(curl_, CURLOPT_CAINFO, "keys/curl-ca-bundle.crt");
I't good to use public web servers for unit tests.
For SSL it's good https://badssl.com/
Common requests: https://httpbin.org/
I't good to use public web servers for unit tests.
I disagree: you want unit tests to be able to run without any external dependencies. Integration tests are a different story though. But even those you probably want to run against a server which configuration you control (.e.g one you spawn as part of the test run).
Btw, couldn't find in the docs but there is a way to disable SSL checks without going down to libcurl calls.
cpr::Session session;
session.SetVerifySsl(false);
session.SetUrl(...);
auto response = session.Get();
Hope it helps someone!
Btw, couldn't find in the docs but there is a way to disable SSL checks without going down to libcurl calls.
cpr::Session session; session.SetVerifySsl(false); session.SetUrl(...); auto response = session.Get();Hope it helps someone!
Thank you so much! Simple and effective!
What's the status of this? It looks like the CI has fallen behind. However the merge isn't all that big to begin with. What's holding this feature back from being merged into mainline?
+1
+1