OpenSSL 1.0.2 to read CA md5 certificates
I created curl 7.39.0 and openssl 1.0.2 for Android. I point openssl in the CA certificate directory:
curl_easy_setopt( curl, CURLOPT_CAPATH, "/system/etc/security/cacerts" );
But when I call curl_easy_perform
, I get an error code 60: Peer certificate cannot be authenticated with given CA certificates
.
From a little googling I found that android-cacerts are generated with md5 hash, but as of 1.0.0, openssl uses sha1.
Does anyone know how to make openssl 1.0.2 able to read android md5 ca certificates?
Google must have done it somehow, since their openssl repo for android is using version 1.0.1j.
Otherwise, I suppose my options are to use openssl 0.9.8 like in this answer , or use my own CA certificate suite, but I would prefer the latest version and don't have to worry about maintaining CA certificates myself.
source to share
All of these files in the folder /system/etc/security/cacerts
are PEM-formatted certificates and the name is the hash for the object. I don't think you can use this folder as with newer versions of openssl. But you can simply concatenate all these files into one file and use it with CURLOPT_CAINFO
. While not as good as using the directory directly, it might be better than getting the CA package from elsewhere.
source to share
Using a native CA bunldle is safer than reading from the Android system directory due to various permission issues seen in some OEMS, and if at all Google decides to change the directory for newer versions, you will have to change the code again. Maintaining your own CA package can be simplified if the CA package ex: "cacert.pem" is in the assets directory and the function copies it from assets to internal storage and provides an absolute path to that internal storage directory in CAINFO. You can follow the code at https://github.com/vyshas/CURL-Android-with-verify-peer- where it uses 1.0.1p and curl 7.40.0
source to share