Modify LIbcurl to support SSL

[martyj]

The current version of Libcurl with Leadwerks on Windows doesn't support SSL.

The error I get from ERRORBUFFER is as follows: Protocol \"https\" not supported or disabled in libcurl

[Josh]

Yeah, it requires an additional lib called like ssleay or something like that.  Where I ran into trouble was I could not figure out what the contents of the cacert.pem file was supposed to be or how to safely distribute it, and no one on the web could give me a straight answer.

[martyj]

Were you trying to publish your own certificate authority file?

I believe libcurl uses Window's CA list by default unless you wanted to self-sign your own SSL certificates.
 

[Josh]

1 minute ago, martyj said:

Were you trying to publish your own certificate authority file?

I believe libcurl uses Window's CA list by default unless you wanted to self-sign your own SSL certificates.
 

I don't know enough about it to answer that.  All I know if I put my private key in the cacert.pem file it worked, and nothing else would work.

[martyj]

I don't think you need to be having a CA file.

The CA file is basically a way to identify that a certificate has been verified through the certificate authority for a domain.

There are two parts to SSL encryption over HTTP.

The first is Domain verification.
The second is encryption.

Domain Verification is through the use of Certificate Authorities

Operating systems include a bunch of certificate authority files from like GeoTrust, DigiCert, ect.

When you go to create an SSL certificate you use like GeoTrust or whoevever. They usually have domain verification to prove that you own leadwerks.com. That way not just anybody can create an SSL certificate on your domain.

GeoTrust will then issue you a SSL certificate based off of their CA private key.

Your SSL certificate is in two parts, a public key and a private key. You keep your private key a secret and hand out your public key.

When you visit say https://leadwerks.com, there is an SSL handshake which provides information about your public key, the ca to use, ect. Your browser will then look at the certificate authority to check if that public key really came from say GeoTrust or if your SSL certificate is lying.

This allows the "green" secure icon in the top of your browser stating, yes you are in fact visiting leadwerks.com instead of someone pretending to be. Look up bitsquating if you want to see attacks that can be done if this wasn't around.

The second part of SSL is pretty straight forward. Tom Scott on Youtube has some good videos on RSA encryption

----

Now the self signed certificates.

Previously SSL certificates use to be super expensive. Like $50-$1200/year per domain name. Since GeoTrust paid Microsoft and Apple a ton of money to include their CA on their operating systems, they have to make some of it back, by charging you.

If you wanted free SSL certificates in the past you could create your own certificate authority file. Have users install it on their system, then you could verify domain names yourself, without having to pay someone to do it.

Currently if you want a free SSL certificate, LetsEncrypt is the best way to go IMO.

So you shouldn't have to deal with certificate authorities. You can have free SSL certificates.