--capath not supported by libcurl with mbedTLS support

I am running into this weird error with my ar71xx builds:

Warning: ignoring --capath, not supported by libcurl
curl: (48) Error

This is since the switch from PolarSSL to mbedTLS. The full curl command is:

curl -# --capath /etc/ssl/certs/ --retry 3 "$URL/targets/$ARCH/$SUBTARGET/sha256sums" -o /tmp/sha256sums

Curl config:

$ ./scripts/diffconfig.sh |grep -i curl
# CONFIG_LIBCURL_FTP is not set    

Libustream-mbedtls is installed.

"(TLS) Tells curl to use the specified certificate directory to verify the peer. Multiple paths can be provided by separating them with ":" (e.g. "path1:path2:path3"). The certificates must be in PEM format, and if curl is built against OpenSSL, the directory must have been processed using the c_rehash utility supplied with OpenSSL. Using --capath can allow OpenSSL-powered curl to make SSL-connections much more efficiently than using --cacert if the --cacert file contains many CA certificates. "


It's not built against OpenSSL. It's built against mbedTLS.

And like I said, it worked perfectly before with PolarSSL.

It's an unsupported feature using mbed TLS.

OK... Yet it did work with PolarSSL. Sounds like a regression to me. Or did mbedTLS purposely drop some features when moving from their 'old' to their 'new' version?

So, while it seems --capath does not work anymore with mbedTLS, it looks like pointing cURL to the specific certificate to check against (with --cacert) works fine.

Problem worked around :smiley:

Is there another way to make this work? I would like to continue using the --capath flag.

Hi velvet,

we are experiencing the same issue in openwisp-config, which makes use of the --capath flag.

To fix this, curl must be compiled with openssl (maybe gnutls also works but I haven't tested this).


I am also wondering why this behaviour was changed and if it can be reverted or made backward compatible.

I found a workaround that seems to work and maintain backward compatibility with older OpenWRT versions:

If you are not worried about older openwrt versions, you can install the ca-bundle package.

I hope is not too heretic.