Getting CURLE_SSL_CACERT for mysterious reasons

[DEGoodmanWilson]

When I use Conan-provided libcurl, I am receiving CURLE_SSL_CACERT when I call https://slack.com/api/api.test

Using my system-installed libcurl, this does not happen, it connects correctly.

OS X 10.11.3, clang Apple LLVM version 7.0.2 (clang-700.1.81)

[lasote]

Do you have a snippet to try it?

[lasote]

I think its related with the "ca-bundle.crt" file. This file contains the well known certificates and it's used to validate certificates issued by well known root CAs. This file is not commonly distributed with libcurl, (its more an openssl thing), I will take a look to it and see if I can export a modern ca-bundle.crt file with maybe openssl (and therefore with libcurl) and see where libcurl is looking for this file. The libcurl installed in your system should be working because there is a valid certs file in the libcurls path (whatever it is)

Thanks por report it.

[lasote]

I found this https://curl.haxx.se/libcurl/c/cacertinmem.html It allows to have a valid cacert file as a string. Maybe it is a good aproach because if you move your library to another computer it can fail because the same problem. (With conan I distribute a cacert file because in python I have the same problem).

If you prefer to have the cacert file in a file I think you can do it:

curl_easy_setopt(curl, CURLOPT_CAPATH, capath)

Tell me if you can try any of those options and if it works! :+1:

[DEGoodmanWilson]

Thanks for looking into this! I'll give this a try. Probably won't be until next week.

[DEGoodmanWilson]

So, I'm not super happy with having to call curl_easy_setopt, in no small part because this error is cropping up in a library that wraps lib curl. I don't want to have to special case things in that library just for Conan on OS X, when it already runs fine on OS X using system lib curl.

I'm also not super happy with having to pass in a cacert with my app, although that is preferable to the above.

What I'm finding myself wondering, now, is something rather different: Given that Apple's libssl implementation is very different from OpenSSL, I begin to wonder if the right way forward here is for Conan to defer to installed system libraries when present, rather than downloading a fresh set. So, for example, when lib curl is requested, and lib curl is already in the library search path, just defer to that one.

[lasote]

Ok, I understand you don't like to handle the curl_easy_setopt, I'll think about a better solution. About remove the dependency in Apple, it should be possible using a conanfile.py file instead of conanfile.txt. You should be able to alter the requirements doing something similar to:

if self.settings.os == "Macos":
    self.requires.remove("libcurl")

I can try it and give you the right lines. Is your project open? maybe I can take a look and try. If don't you mention that the error appears in a library that wraps lib curl. Can I know what?

I'm here to help!

[DEGoodmanWilson]

This sounds like a step in the right direction. I still think a more general mechanism might be useful, but this is likely a good thing to try out. Ultimately all this is for CPR: https://github.com/whoshuu/cpr, for which I am trying to build Conan support. In particular here is the PR I have issued against CPR with Conan support. I'm still working out the right way to integrate Conan with CPR, so some additional :eyes: and :speech_balloon: are very welcome.

[lasote]

Of course! We are glad you are trying to build conan support for CPR. I've seen the PR and the comments about conan. Good feedback! I'm sure we can collaborate to reach a good solution for all your concerns about conan and make it better. My partner @memsharded will help us a lot.

About the maturity of conan, it's your opinion and, of course, it's ok. we'll work to increase your confidence in conan :+1: . Our personal opinion is that, if you knew biicode, conan today has at least 10 times more maturity than biicode ever was, really. We already know that people is using conan for develop real libraries for production projects with success.

I'm going to analyze your PR to find a better solution for the integration problems.

Thanks!

[DEGoodmanWilson]

Don't get me wrong: I'm bullish on Conan. I wouldn't be experimenting with it if I weren't ;) But…I also have opinions :D

[lasote]

Of course! :+1: Any opinion are very welcome