« Reasons for FileMaker… | Home | Encoded Polyline Algo… »

Using system SSL Certificates in CURL


The CURL library supports various SSL backends. We build currently CURL in three variants. The main one uses OpenSSL cross platform. For Windows we build a second copy using Windows own SSL. For MacOS and iOS we build the third variant with transport security. The native SSL libraries from Mac and Windows use the certificates installed on the system, while we need to supply our own certificates for SSL with OpenSSL. You can download cacert.pem with common root certificates from CURL website. Or just use the certificate from your website if you only need to connect to the same server (certificate pinning). We need OpenSSL as SSH2 library uses it for the SSL part.

For MacOS we search the keychain for certificates. We copy the data for each certificate and use OpenSSL function d2i_X509 to parse it. Than we store it in a global std::vector.

For Windows, we open CA, AuthRoot and ROOT stores with CertOpenSystemStore function. We enumerate all certificates and add them to the same vector as for MacOS.

In CURL we use CURLOPT_SSL_CTX_FUNCTION option to set our callback. In the callback, we get the X509_STORE from the SSL context via SSL_CTX_get_cert_store function. We loop over our certificates and add each via X509_STORE_add_cert function. Now all certificates are loaded and we can enable verification.

Sample code: CURLSSLCertificatesWin.cpp and CURLSSLCertificatesMac.cpp.

In our Xojo plugin, simply call UseSystemCertificates method in CURLSMBS class to load certificates into this instance. In FileMaker, please call CURL.UseSystemCertificates function on the CURL session.
30 03 19 - 18:11