cURL without cacert or capath options

By | October 6, 2021

The curl as mention in its manual is the tool to transfer data from or to a server, using one of the different application-layer Internet protocol including HTTPS. With HTTPS curl works as CLI browser and supports TLS handshake process. cURL cacert option is used to specify certificate file to verify the peer, capath tells curl to use certificate directory instead of file. Without this options curl uses default certificate file. This article is about how to find default certificate file used by curl and where this default file is defined. curl with verbose option provides name and location of default certificate file.

For example CentOS 8:
Get default certificate file using curl command:

# curl -v |& grep 'pem\|crt'
* CAfile: /etc/pki/tls/certs/ca-bundle.crt

Alternatively wrapping curl with strace:

# strace -e trace=openat curl |& grep 'pem\|crt'
openat(AT_FDCWD, “/etc/pki/tls/certs/ca-bundle.crt”, O_RDONLY) = 4

There are several function defined in ssl.h which assigns appropriate certificate file, for example: SSL_CTX_use_certificate_file.
Now I tried to find where ca-bundle.crt is taken from. There is no curl config file in that system. I began to search in binaries. In the first step I tried to figure out shared object related to curl:

# ldd /usr/bin/curl | grep curl => /lib64/ (0x00007f68458ee000)

Now looking if ca-bundle.crt is defined there:

# strings /lib64/ | grep 'pem\|crt'

The default certificate file is hard coded in and probably defined during curl installation as described in that article.

Now the same for Ubuntu 16:
• curl with verbose option:

# curl -v |& grep ‘crt\|pem’
* found 129 certificates in /etc/ssl/certs/ca-certificates.crt

• strace:

# strace -e trace=open curl |& grep ca-certificates.crt
0   0   0   0   0   0   0   0 –:–:– –:–:– –:–:– 0open(“/etc/ssl/certs/ca-certificates.crt”, O_RDONLY) = 5
open(“/etc/ssl/certs/ca-certificates.crt”, O_RDONLY) = 6

• ldd:

# ldd /usr/bin/curl | grep curl => /usr/lib/x86_64-linux-gnu/ (0x00007f0affb7b000)

• strings:

# strings /usr/lib/x86_64-linux-gnu/ | grep ca-certificates.crt

Leave a Reply

Your email address will not be published. Required fields are marked *