[Haskell-cafe] Is there a cross platform CA certificate bundle solution for HsOpenSSL?

Julian Ospald hasufell at posteo.de
Sat Feb 14 02:20:39 UTC 2015

Marios Titas:
> If I want to use HsOpenSSL for a tls client application that verifies
> the server certificate I have to manually specify a CA certificate
> bundle containing the trusted roots. For example, in a linux system, I
> would do the following
>     mkTlsContext :: IO Context
>     mkTlsContext = do
>         ctx <- context
>         contextSetVerificationMode ctx (VerifyPeer True False Nothing)
>         contextSetCADirectory ctx "/etc/ssl/certs"
>         return ctx
> The problem is that the above solution only works for linux. Is there
> a cross-platform way to find a reasonable CA bundle and use it with
> HsOpenSSL?
> Note that the tls package has x509-system [1] that does exactly that.
> So I am basically asking if anybody has written something similar for
> HsOpenSSL.
> [1] https://hackage.haskell.org/package/x509-system

You shouldn't have to manually specify it.

There is the function SSL_CTX_set_default_verify_paths() which sets
default directories for the CAfile and CApath which are configured
during compile-time of openssl.

Unfortunately, some distributions don't really follow these standard
paths, but that's your first bet.

You might find this link interesting too:

But from what I see... HsOpenSSL lacks this function. Unless I missed
something, I'd call that a bug.

More information about the Haskell-Cafe mailing list