Option similar to curl --insecure

[andn99]

Hello, I'm currently having an issue with using NsCurl via a mitm proxy.
The mitm proxy issues a custom certificate that I installed and trusted on my Windows machine.

When I ran a curl post request on powershell to one of my api endpoint via that proxy, I got Unknown CA error. Then I tried again with curl --insecure, it worked.

When sending the same request using NSCurl in my NSIS installer, I also got Unknown CA error. Then I tried to run it with /CACERT none /CASTORE false, I have no longer receive Unknown CA, but got the SSL Handshake error. I'm wondering if there is an option in NSCurl to ignore the certificate validation like --insecure in curl.

[negrutiu]

/CACERT none /CASTORE false is literally equivalent to --insecure
SSL handshakes might fail for multiple reasons. Could be that the MITM proxy is negociating an insecure/unsupported SSL cipher, for example...
I recommend you try the /DEBUG ... parameter to help you troubleshoot the issue.

NScurl::http GET ${url} ${destination} /DEBUG nodata "$TEMP\nscurl.debug.txt" /cacert none /castore false /END

Have a look at the debug file and see if anything stands out.

[andn99]

/CACERT none /CASTORE false is literally equivalent to --insecure SSL handshakes might fail for multiple reasons. Could be that the MITM proxy is negociating an insecure/unsupported SSL cipher, for example... I recommend you try the /DEBUG ... parameter to help you troubleshoot the issue.

NScurl::http GET ${url} ${destination} /DEBUG nodata "$TEMP\nscurl.debug.txt" /cacert none /castore false /END

Have a look at the debug file and see if anything stands out.

Thanks @negrutiu ! I got the unsafe legacy renegotiation disabled error in the debug logs. It may because of openssl 3.3.1 in the latest version. I tested with older version (openssl 1.1.1) and it work (/cacert "", castore is not available for that version)

[negrutiu]

I got the unsafe legacy renegotiation disabled error in the debug logs. It may because of openssl 3.3.1 in the latest version. I tested with older version (openssl 1.1.1) and it work (/cacert "", castore is not available for that version)

That's useful info, thanks
I've made an experimental fix for it. Could you please get it from https://github.com/negrutiu/nsis-nscurl/actions/runs/10421731686 and see how it goes?

[negrutiu]

It looks like you're connecting to a server that's using an insecure/legacy renegociation protocol.
libcurl is blocking it because it doesn't meet the current crypto standards.
The latest release has a new option /SECURITY weak which enables weak crypto algorithms and improves compatibility with legacy servers.
Thanks for reporting the issue.