cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Using default cert bundle with PolarSSL

From: Guenter <lists_at_gknw.net>
Date: Mon, 23 Aug 2010 17:50:19 +0200

Jeff,
Am 23.08.2010 15:09, schrieb Jeff Pohlmeyer:
> I've been playing around with a polarssl-enabled build of libcurl and
> the "ca-certificates.crt" generated by "mk-ca-bundle.pl" is failing
> with error -0x01A0. The polarssl sources define that error code as:
> POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG
>
> After some trial and error, I found that currently the only culprit
> is the cert from "COMODO ECC Certification Authority" which has a
> signature algorithm of "ecdsa-with-SHA384"
>
> The quick fix is to manually remove the offending cert from the bundle,
> after that polarssl can handle all the other certs just fine.
>
> The attached "mk-ca-bundle.lua" script contains a workaround that will
> (hopefully) exclude any certs with signature algorithms that polarssl
> doesn't understand. The workaround is turned off by default, you can
> enable it with the -p option.
Did you already inform the author of PolarSSL about this prob?
I think that the right long term fix would be that PolarSSL learns this
'unknown sig alg', or?

GŁn.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2010-08-23