Darrell: Thanks for the tip, but this is what I'm doing now that's not working in my environment.
Wim: Thanks for the tips. Apparently, there's lots of buzz about this behavior of OpenSSL, particularly about $SSL_CERT_FILE not being used. I have also encountered a problem in Wt where setSslVerifyPath comes up unresolved when I tried to test that. Should I assume that if $SSL_CERT_FILE and/or $SSL_CERT_DIR are being properly set (and used) in OpenSSL, I should not have to call these functions at the Wt level? I'll look into your suggestions and get back to you on what I find. It will probably take a day or two. Best, -dan > > Message: 1 > Date: Fri, 17 Oct 2014 14:45:54 +0200 > From: Wim Dumon <w...@emweb.be> > Subject: Re: [Wt-interest] Http client > To: witty-interest@lists.sourceforge.net > Message-ID: > <CAJ2=PVQ6ck6=1copdbq8jn+takuwfcgncz6ouo0c4up-q4d...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > I believe the certificate directory has to be in a very specific format. > See https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html in > the examples section. Other than that, I have no experience with it. > > BR, > Wim. > > > > 2014-10-16 23:51 GMT+02:00 Darrell Wright <darrell.wri...@gmail.com>: > > > According to boost ssl::context::add_verify_path should allow the use of > > CA certs in a path(1 per file). However http client setSslVerifyPath > > did not work for me when I supplied a ca certs folder from another > > machine. Pinning the cert worked better for me in this case because I > > knew the identity of the server ahead of time though. > > On 2014-10-16 4:44 AM, Wim Dumon wrote: > > > Thanks Darrell, I was a bit confused indeed. For Http Client Wt does > the > > > following: > > > - call SSL_CTX_set_default_verify_paths (which seems to have little > > > effect on Windows) > > > - if a verifyFile was or a verifyPath was given, call > > > SSL_CTX_load_verify_locations (which you can use to load the > > > certificates you trust) > > > > > > Unforntunately OpenSSL does not look in the windows certificate store. > > > We could add that as an option. Question is if this isn't more > OpenSSL's > > > task to do than Wt's. You can work around this by specifying your > > > certificate file as Darell suggests. > > > > > > BR, > > > Wim.| > > > | > > > ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ witty-interest mailing list witty-interest@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/witty-interest