cURL / Mailing Lists / curl-library / Single Mail

curl-library

Using default cert bundle with PolarSSL

From: Jeff Pohlmeyer <yetanothergeek_at_gmail.com>
Date: Mon, 23 Aug 2010 08:09:45 -0500

I've been playing around with a polarssl-enabled build of libcurl and
the "ca-certificates.crt" generated by "mk-ca-bundle.pl" is failing
with error -0x01A0. The polarssl sources define that error code as:
  POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG

After some trial and error, I found that currently the only culprit
is the cert from "COMODO ECC Certification Authority" which has a
signature algorithm of "ecdsa-with-SHA384"

The quick fix is to manually remove the offending cert from the bundle,
after that polarssl can handle all the other certs just fine.

The attached "mk-ca-bundle.lua" script contains a workaround that will
(hopefully) exclude any certs with signature algorithms that polarssl
doesn't understand. The workaround is turned off by default, you can
enable it with the -p option.

As a side note, while browsing the libcurl mailing list archives I came
across this thread:

  http://curl.haxx.se/mail/archive-2010-07/0029.html

which implies that libcurl+polarssl will not work with self-signed
certificates.

I can say that at least for me, self-signed certs are working just fine.
(Provided of course that they are in a format that polarssl understands.)

 - Jeff

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2010-08-23