cURL without cacert or capath options

By | October 6, 2021

The curl as mention in its manual is the tool to transfer data from or to a server, using one of the different application-layer Internet protocol including HTTPS. With HTTPS curl works as CLI browser and supports TLS handshake process. cURL cacert option is used to specify certificate file to verify the peer, capath tells curl to use certificate directory instead of file. Without this options curl uses default certificate file. This article is about how to find default certificate file used by curl and where this default file is defined. curl with verbose option provides name and location of default certificate file.

For example CentOS 8:
Get default certificate file using curl command:


# curl -v https://ladydebug.com |& grep 'pem\|crt'
* CAfile: /etc/pki/tls/certs/ca-bundle.crt

Alternatively wrapping curl with strace:


# strace -e trace=openat curl https://ladydebug.com |& grep 'pem\|crt'
openat(AT_FDCWD, “/etc/pki/tls/certs/ca-bundle.crt”, O_RDONLY) = 4

There are several function defined in ssl.h which assigns appropriate certificate file, for example: SSL_CTX_use_certificate_file.
Now I tried to find where ca-bundle.crt is taken from. There is no curl config file in that system. I began to search in binaries. In the first step I tried to figure out shared object related to curl:


# ldd /usr/bin/curl | grep curl
libcurl.so.4 => /lib64/libcurl.so.4 (0x00007f68458ee000)

Now looking if ca-bundle.crt is defined there:


# strings /lib64/libcurl.so.4 | grep 'pem\|crt'
/etc/pki/tls/certs/ca-bundle.crt

The default certificate file is hard coded in libcurl.so.4 and probably defined during curl installation as described in that article.

Now the same for Ubuntu 16:
• curl with verbose option:


# curl -v https://ladydebug.com |& grep ‘crt\|pem’
* found 129 certificates in /etc/ssl/certs/ca-certificates.crt

• strace:


# strace -e trace=open curl https://ladydebug.com |& grep ca-certificates.crt
0   0   0   0   0   0   0   0 –:–:– –:–:– –:–:– 0open(“/etc/ssl/certs/ca-certificates.crt”, O_RDONLY) = 5
open(“/etc/ssl/certs/ca-certificates.crt”, O_RDONLY) = 6

• ldd:


# ldd /usr/bin/curl | grep curl
libcurl-gnutls.so.4 => /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 (0x00007f0affb7b000)

• strings:


# strings /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 | grep ca-certificates.crt
/etc/ssl/certs/ca-certificates.crt

Leave a Reply

Your email address will not be published. Required fields are marked *