Description
Describe the feature
(moved from discussion #2724)
Pass CURLSSLOPT_NATIVE_CA to aws-sdk-cpp
Use Case
This might be an issue but it's also very likely this is possible and I just don't know how to do it.
I am using aws-sdk-cpp on Windows and have a custom build of OpenSSL and Curl. When I try to make an https request using Curl directly, I get the error:
SSL peer certificate or SSH remote key was not OK
I can fix this by either setting a certificate with:
curl_easy_setopt(curl, CURLOPT_CAINFO, "cacert.pem");(Where "cacert.pem" is one I grabbed from here).
Or I can use:
curl_easy_setopt(curl, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NATIVE_CA);Where CURLSSLOPT_NATIVE_CA states "Tell libcurl to use the operating system's native CA store for certificate verification" (see here for more info).
The problem with this option is I don't see a way to pass that through to AWS SDK. I can get things to work if I use:
Aws::Client::ClientConfiguration client_config;
client_config.region = "<my-region>";
client_config.caFile = "cacert.pem";But it would be nice if I could just use the operating system's native CA store.
Is there a way to do this that I'm not seeing? I initialize Curl outside of aws-sdk-cpp and I've tried setting the property right after curl_global_init(CURL_GLOBAL_ALL);.
Something like...
curl_global_init(CURL_GLOBAL_ALL);
if (CURL* curl = curl_easy_init()) {
curl_easy_setopt(curl, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NATIVE_CA);
}
Aws::SDKOptions options;
options.httpOptions.initAndCleanupCurl = false;
Aws::InitAPI(options);
...
Aws::ShutdownAPI(options);
curl_global_cleanup();
But that unfortunately does not seem to work. If there's a way to do this I'd be really curious to know. Thank you!
Proposed Solution
Pass Curl option to aws-sdk-cpp at initialization time to use the operating system's native CA store.
Other Information
No response
Acknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change