3

I have built curl 7.39.0 and openssl 1.0.2 for Android. I point openssl to the CA certificate directory:

curl_easy_setopt( curl, CURLOPT_CAPATH, "/system/etc/security/cacerts" );

But when I call curl_easy_perform I get error code 60: Peer certificate cannot be authenticated with given CA certificates.

From a bit of googling I've found that the Android cacerts are generated with an md5 hash, but as of version 1.0.0, openssl uses sha1.

Does anyone know how to make openssl 1.0.2 able to read Android's md5 ca certs?

Google must have done this somehow, as their openssl repo for android uses version 1.0.1j.

Otherwise I suppose my options are to use openssl 0.9.8 like in this answer, or to use my own CA certificate bundle - but I'd rather have the latest version and not have to worry about maintaining CA certificates myself.

Community
  • 1
  • 1
Jack
  • 2,153
  • 5
  • 28
  • 43

3 Answers3

3

All these files in the /system/etc/security/cacerts folder are certificates in PEM format and the name is a hash over the subject. I don't think you can use the folder as it is with newer openssl versions. But you can just simply cat all these files together into a single file and use this with CURLOPT_CAINFO. While this is not as good as using the directory directly it might be better than getting a CA bundle from somewhere else.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
0

Using your own CA bunldle is safer than reading from android system directory due to various permission issues seen in certain OEMS and if at all Google decides to change the directory for newer versions you will have to change the code again. Maintaining own CA bundle can be made easy if the CA bundle ex: "cacert.pem" is in assets direcory and a function copies it from assets to internal storage and provide the absolute path of that internal storage directory in CAINFO . You can follow the code in https://github.com/vyshas/CURL-Android-with-verify-peer- where it uses 1.0.1p and curl 7.40.0

Vyshakh Amarnath
  • 636
  • 6
  • 17
0

For readers who are running into this same issue and are not willing to side-load the certificates through the app: what I did was to use boringssl instead of openssl. boringssl is able to load the certificates from the Android storage in their current form.

I would have preferred openssl, but I didn't want to be responsible for "provisioning" my app with certificates and keeping them up to date.

Amir Dora.
  • 2,831
  • 4
  • 40
  • 61
AquilesCanta
  • 1
  • 1