cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Regd: CaCerts at https://curl.haxx.se/ca/cacert.pem

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 3 Mar 2016 18:45:31 +0100 (CET)

On Thu, 3 Mar 2016, Jothi Kanth wrote:

> We use the certificate at https://curl.haxx.se/ca/cacert.pem to verify the
> ssl certificates of the url's we are hitting. But there seems to be some
> missing certificates in the recently released cacert.pem file on Jan 20th.
> So we are not able to verify some of the websites. Is this expected? Please
> let me know.

It is expected that you will only get certificates verified if the CA cert is
in the bundle, yes. So if you use such a certificate store against a SSL/TLS
server using a certificate signed by another CA or with a cert otherwise not
present, then curl won't know it is fine.

Using a CA cert bundle is a question about trust. That bundle is simply a
conversion of the bundle Mozilla provides - the ones they trust. It doesn't
mean that those CAs are the same set of CAs you trust.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html

Received on 2016-03-03

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: convertion problem CRLF to LF in SFTP"
Previous message: Jothi Kanth: "Regd: CaCerts at https://curl.haxx.se/ca/cacert.pem"
In reply to: Jothi Kanth: "Regd: CaCerts at https://curl.haxx.se/ca/cacert.pem"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]