On Wed, Oct 18, 2023 at 10:38 AM Daniel Stenberg <dan...@haxx.se> wrote: > > On Tue, 17 Oct 2023, Jeroen Ooms wrote: > > > To me the situation seems a bit less edge-case than you portray it; on a lot > > of systems there may not be a CA pem bundle, hence using the system certs > > seems like a sensible default to build a portable (lib)curl. But I see the > > backward-compatibility issue, so we can just set patch this in our build, no > > problem at all. > > Switching beween a CA cert bundle and the system CA store is something that > shouldn't be treated or done lightly. > > HTTPS and TLS are based on trust. The bundle lists the CAs you trust. If you > use curl with a CA bundle, that bundle contains the CAs you trust. To some > level and extent. Sure, most people won't care or know or meddle with that, > but some will. That's what the CA bundle allows. > > Changing this trust source from the bundle to the system CA store without the > user consent is dangerous and will likely in some cases suddenly make > transfers go through that otherwise would be rejected. Or vice versa. Contrary > to what the user wants.
Yes, 100% agree. This is precisely why we want our curl build for Windows to use the system CA store, regardless of which CURL_SSL_BACKEND is picked at runtime. Currently it uses Windows CA for Schannel (the default) but when the user sets CURL_SSL_BACKEND=openssl, it uses CURL_CA_BUNDLE I think that Windows is different from Linux distributions in what can be considered the safe CA source. On Linux you may assume your distro provides an up-to-date openssl and CA bundle. But on Windows, openssl is usually statically linked in curl, and the OS does not provide an official CA pem bundle. The application needs to ship some CA.pem which does not receive updates from MS. Only the native Windows CA store receives automatic (critical) windows updates. Either way, just explaining my suggestion but I completely understand your point. We will just handle this in the bindings. Thanks! -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html