cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSLv2 and certificate verification

From: Craig Davison <cd_at_securityfocus.com>
Date: Sat, 12 Oct 2002 16:30:26 -0600

On Sat, Oct 12, 2002 at 08:47:45AM +1000, Cris Bailiff wrote:
> The site is using a 'chained' or 'intermediate' certificate, as is usual
> with verisign 'global' certificates. (The site cert is signed by a
> 'Verisign Trust Network' cert, which is in turn signed by the Verisign root
> key in the ca-bundle file.)
> ssl2 doesn't support certificate chaining, that features is only in ssl3
> and above, so the certificate chain can't be verified when using ssl2.

I thought it might be something like that. Thanks.

> Don't use ssl2 - there's no good reason if you have ssl3 capable software
> (and you almost always do) - ssl2 is broken in plenty of other ways too.

Well, all of our clients are using cURL and (hopefully) a reasonably new build of OpenSSL, so I could even use TLSv1 if I wanted to because it's supported on our servers.
Still, I've found that SSLv2 is just more reliable for large HTTPS uploads. Maybe it's picky firewalls. We haven't been able to figure out why many of our clients were having problems connecting to us before we switched to SSLv2, and almost none were after, but we know from experience that it just works better.
Anyway, I guess the solution for me is to get new certificates directly from Verisign, or to self-sign, and bundle our product with our certificate.

Thanks for your reply.

-- 
Craig Davison
Symantec Corporation
+1 (403) 213-3939 ext. 228
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
Received on 2002-10-13