Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: self signed certificates evaluation fails on Windows and OSX using the system provided back end
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Tomalak Geret'kal via curl-library <curl-library_at_cool.haxx.se>
Date: Sun, 11 Apr 2021 12:47:34 +0100
On 10/04/2021 23:05, Daniel Stenberg via curl-library wrote:
>
>
>> Shouldn't libcurl offer a switch to disable revocation
>> check of self-signed
>> certificates?
>
> libcurl doesn't know "self-signed". but you can ask it to
> disable revocation checks with CURLOPT_SSL_OPTIONS's
> CURLSSLOPT_NO_REVOKE bit.
For what it's worth, I am turning this option on for any
build using Schannel in an environment that may use
self-signed certificates, or root certs that do MITM on a
corporate network; security issues with this aside, it's
common practice in many corporate networks, and adding this
option mimics what browsers do in this scenario.
It is kind of a shame that the optoin is an all-or-nothing
proposition, but I get why.
Cheers
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-04-11
Date: Sun, 11 Apr 2021 12:47:34 +0100
On 10/04/2021 23:05, Daniel Stenberg via curl-library wrote:
>
>
>> Shouldn't libcurl offer a switch to disable revocation
>> check of self-signed
>> certificates?
>
> libcurl doesn't know "self-signed". but you can ask it to
> disable revocation checks with CURLOPT_SSL_OPTIONS's
> CURLSSLOPT_NO_REVOKE bit.
For what it's worth, I am turning this option on for any
build using Schannel in an environment that may use
self-signed certificates, or root certs that do MITM on a
corporate network; security issues with this aside, it's
common practice in many corporate networks, and adding this
option mimics what browsers do in this scenario.
It is kind of a shame that the optoin is an all-or-nothing
proposition, but I get why.
Cheers
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-04-11