I am working on a C++ Android app that uses gSOAP with OpenSSL. To enable OpenSSL to validate the server certificate I need to provide it with location for the
SSL_CTX_load_verify_locations(ctx, "cacerts.pem", nullptr)
What is the right way to store and load cacerts.pem on Android?
You must load the one CA needed to verify the host's certificate.
You can load intermediates required to build a path from the host to the CA, but its optional. A well configured server will send the needed intermediate certificates, but not all of them are well configured.
You don't load
cacert.pem or equivalent.
cacert.pem contains hundreds of certifcates, and all of them but one are wrong.
Do I need to copy cacerts.pem somehow into the .APK (how to do this?) and provide path to the file to SSL_CTX_load_verify_locations()?
No. You usually need one certificate, and that's the CA that certifies the host's certificate. It can be a public CA, like Comodo, or it can be a private CA internal to the organization.
You usually place it in the
assets/ folder. Also see Difference between /res and /assets directories on Stack Overflow.
Is there a way to store cacerts.pem as a string buffer and thus avoid carrying it in the .APK?
Yes, but you might have to take the string, write it to the filesystem, and then use the file for
SSL_CTX_load_verify_locations. So in the end, its probably best to place it in
... sharepoint online sites (https://*.example.com/)
One important note for hostname validation. OpenSSL 1.0.2 and earlier does not perform name matching. It performs other customary checks, like ensuring a path exists from the end-entity certificate (the host) to the CA certificate (the root of trust) and the certificate is not expired. But it does not perform the hostname matching.
OpenSSL 1.1.0 does perform hostname matching. It will be released soon.
As a stop gap, you usually lift the missing code from a library like
cURL. cURL performs the hostname matching, and Daniel Stenberg is happy to share the code. I think its located in
ssl.c, if memory serves me.
Also see TLS Client on the OpenSSL wiki.