I have built curl 7.39.0 and openssl 1.0.2 for Android. I point openssl to the CA certificate directory:
curl_easy_setopt( curl, CURLOPT_CAPATH, "/system/etc/security/cacerts" );
But when I call curl_easy_perform
I get error code 60: Peer certificate cannot be authenticated with given CA certificates
.
From a bit of googling I've found that the Android cacerts are generated with an md5 hash, but as of version 1.0.0, openssl uses sha1.
Does anyone know how to make openssl 1.0.2 able to read Android's md5 ca certs?
Google must have done this somehow, as their openssl repo for android uses version 1.0.1j.
Otherwise I suppose my options are to use openssl 0.9.8 like in this answer, or to use my own CA certificate bundle - but I'd rather have the latest version and not have to worry about maintaining CA certificates myself.
All these files in the /system/etc/security/cacerts
folder are certificates in PEM format and the name is a hash over the subject. I don't think you can use the folder as it is with newer openssl versions. But you can just simply cat all these files together into a single file and use this with CURLOPT_CAINFO
. While this is not as good as using the directory directly it might be better than getting a CA bundle from somewhere else.