cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: curl/lib/ca-bundle.crt

From: Cris Bailiff <c.bailiff+curl_at_devsecure.com>
Date: Thu, 27 Mar 2003 15:51:08 +1100

Götz,

(sorry for being late with this - been on holiday)

I'm a bit confused as to your description of the purpose of the TC Class 0 CA
certificate. It arrived in curl's ca-bundle because this file was taken from
the mod_ssl distribution, wihch contains the same list of CA information.

In turn, the mod_ssl ca-bundle file was extracted (according to it's header
comments) from a copy of netscape communicator (4.75). My own copy of
netscape 4.x also contains this same CA cert.

Are you saying that this CA has never been trustworthy (or that it's purpose
has changed over time) and that all software should remove it?

I could imagine it being included but marked as "not trusted for ssl signing",
but that doesn't seem to be the case - my netscape 4.x marks it trusted. Is
it some other aspect libcurl's openssl usage that is causing this cert to be
misused, or should mod_ssl (and netscape/mozilla?) also be informed to remove
it from their bundle?

Cheers,
Cris
c.bailiff+curl_at_devsecure.com

On Saturday 22 March 2003 06:57 am, Götz Babin-Ebell wrote:
> Hello Daniel
> (and everybody using cURL with SSL),
>
> the file curl/lib/ca-bundle.crt
> contains the certificate
>
> TC TrustCenter, Germany, Class 0 CA.
>
> Please remove it !
>
> It is a DEMO certificate and was never intended
> to be in any list of trusted CA certificates.
>
>
> Bye
>
> Goetz

-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
Received on 2003-03-27