开发者

HTTPS using cURL, using openssl with the capi engine

问答 作者:

I'm attempting to use https using cURL 7.21.1 with OpenSSL 1.0.0d, using OpenSSL's builtin capi engine for certificate authority checking, but it returns CURLE_SSL_CACERT (60) on curl_easy_perform().

#include <openssl/conf.h>
#include <openssl/engine.h>
#include <openssl/ssl.h>
#define CURL_NO_OLDIES
#define CURL_STATICLIB
#include <curl.h>

// Don't forget libeay32.lib, ssleay32.lib, curl.lib
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "wldap32.lib")
#pragma comment(lib, "crypt32.lib")

int main(int argc, char* argv[])
{
    OPENSSL_no_config();
    ENGINE_load_capi();
    // Same effect, despite ok = 1 both times:
    // ENGINE* capi = ENGINE_by_id("capi");
    // int ok = ENGINE_init(capi);
    // ok = ENGINE_register_complete(capi);

    CURLcode e = curl_global_init(CURL_GLOBAL_DEFAULT);
    CURL* curl = curl_easy_init();

    e = curl_easy_setopt(curl, CURLOPT_URL, "https://www.google.com/");
    e = curl_easy_perform(curl); // returns CURLE_SSL_CACERT
    return 0;
}

If I test "openssl s_client -connect www.google.com:443" with the f开发者_开发知识库ollowing config:

openssl_conf = openssl_init

[openssl_init]
engines = engine_section

[engine_section]
capi = capi_config

[capi_config]
engine_id = capi
init=1

based on http://www.mail-archive.com/openssl-users@openssl.org/msg62249.html, I receive:

verify error:num=20:unable to get local issuer certificate

The thing that is confusing me, is that when I first wrote the actual program this is failing in, it had the same failure until I added ENGINE_load_capi(). I would like to avoid using a CA bundle, since the actual program may be running inside random corporate networks, and they might be using private CAs.

Sounds like OpenSSL is having an issue finding the default certificate store? The following SO question resolved a similar error by specifying the CA file explicitly, but it sounds like you'd like to avoid that configuration.

OpenSSL unable to get local issuer certificate unless CAfile is explicitly specified

Maybe you can try to add the following line in your file on which you have access the domain. curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, false);

继续阅读:ccurlopenssl

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9