cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Support for openssl trusted_first flag

From: Robert Foreman <robert.foreman_at_rd.bbc.co.uk>
Date: Wed, 21 Dec 2011 11:34:23 +0000

> Date: Tue, 20 Dec 2011 10:10:46 -0800
> From: Dan Fandrich<dan_at_coneharvesters.com>
> To: curl-library_at_cool.haxx.se
> Subject: Re: Support for openssl trusted_first flag
> Message-ID:<20111220181046.GC31208_at_coneharvesters.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Tue, Dec 20, 2011 at 05:47:11PM +0000, Robert Foreman wrote:
>> Openssl defines a flag, -trusted_first, which causes it to verify
>> certificates using a trusted certificate store, even if an untrusted
>> store is also available. This is described in a patch at
>> <http://marc.info/?l=openssl-cvs&m=126710063626226>.
>>
>> I've created a patch for cURL that adds a --trusted_first flag,
>> allowing (lib)curl to use this openssl functionality.
>
> Is there any reason to make this configurable at run-time rather than having
> it enabled all the time?

I made the patch in order to fix a problem I was having with a
certificate chain, and I wanted to be able to turn the feature on and
off quickly while I did some tests. Also, it mirrors the way the flag is
used in openssl itself. I think it would be useful to allow some
flexibility, whether it's at run-time or configure or somewhere else.

(The particular problem I was having, for context, was a certificate
that can be verified by two different roots, one sent by the server and
one in the CA bundle. The flag allows us to choose which root is
preferred over the other.)

Rob

-- 
Rob Foreman
BBC Future Media & Technology
D221 Centre House, 56 Wood Lane, LONDON W12 7SB
+44 303 040 9587
robert.foreman_at_rd.bbc.co.uk
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2011-12-21