cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Q: Where are the CA certificates?

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 27 Nov 2001 08:18:44 +0100 (MET)

On Mon, 26 Nov 2001, Miklos Nemeth wrote:

> I compiled curl against OpenSSL statically on Win32 and deployed the
> curl.EXE onto another computer. To my surprise, it worked immediately
> with HTTPS servers without any CA certificate files.

You don't need to have any CA certificate files just to talk HTTPS. You
simply can't trust the site you're talking with then.

> AFAIK the server certificates are signed by CA's and can only be read by
> clients that has the public key of the particular CA.

That is not true. The CA's certificate files (or rather, their public keys)
are needed to verify that the remote site is what/who it says it is, it isn't
strictly required for the communication to take place.

> Where the hell my Curl.exe got these CA public keys from?

Nowhere. It didn't verify the peer, because you didn't tell it to.

> Are they (statically) stored in the libraries as Win32 resources?

Nope.

> What am I missing?

The --cacert option and this package:

http://curl.haxx.se/ca-cert-bundle.pem.gz

-- 
    Daniel Stenberg -- curl groks URLs -- http://curl.haxx.se/

Received on 2001-11-27

This message: [ Message body ]
Next message: Dimitris Sarris: "Try to compile at Digital Unix"
Previous message: Miklos Nemeth: "Q: Where are the CA certificates?"
In reply to: Miklos Nemeth: "Q: Where are the CA certificates?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]