cURL / Mailing Lists / curl-users / Single Mail


Re: ca-cert bundle missing Verisign cert, breaking SSL to Amazon

From: Daniel Stenberg <>
Date: Mon, 27 Oct 2014 22:56:41 +0100 (CET)

On Mon, 27 Oct 2014, Lamont Granquist wrote:

> The latest drops these cert:


> If those are being dropped after being scraped, then someone should probably
> be made aware that its a cert at the base of Amazon's SSL certs and removing
> that cert from the ca-bundle breaks and

I'm pretty sure they are dropped on purpose because of the recently introduced
RSA-1024 bit requirement as mentioned here:, at least they vanished with that
specific mozilla bump.

That's also a reason why we point to the last cacert.pem from before that
change on that same web page.

Of course, it could also be a bug in the mk-ca-bundle script.


At the bottom it lists these certs as "weak" and I suspect it is that
attribute that makes our script exclude them.

List admin:
Received on 2014-10-27