Find the path to the certificate bundle in runtime #1135
Conversation
The change makes the compiled library work on different distributions, even if the path to the certificate bundle in runtime is different compared to the path where it was during compilation. This can be useful when the compilation is done on a manylinux Docker image which is based on CentOS, but the compiled library/binaries are used on Ubuntu or Debian.
|
@moratom thanks for submitting this PR! cpr provides a way for you to set the ca path manually during runtime e.g. via: cpr::SslOptions opts;
opts.ca_info = "/some/path.ca";
cpr::Response r = cpr::Get(opts, ...);So you can first probe which paths exist and then set them accordingly. Using "random" paths on different distros is a security risk in case they are compromised since out of the box the directory structure has not the correct permissions set since this path is not intended to be used by this distro for that. |
|
Thanks for taking a look @COM8!
That's a very good point. The specific use-case we have is that we use CPR&Curl in a project with Python bindings. We provide manylinux wheels, which means we only compile once and it then generally works on most distributions. CPR/Curl is where this breaks as the wheels afterwards only work on Centos based distributions, but not on Ubuntu for example. |
|
In my eyes this runtime check on startup is the only way. If you want to go the full way perhaps take |
The change makes the compiled library work on
different distributions, even if the path to the
certificate bundle in runtime is different compared to the path where it was during compilation.
This can be useful when the compilation is done on a manylinux Docker image which is based on CentOS, but the compiled library/binaries are used on
Ubuntu or Debian.
Related issue: curl/curl#11411
Maintainers of CURL were not interested in mainlining this, so I understand if this is not suitable for the default behavior, but it would be nice to be able to at least optionally turn that on in runtime.