curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Certificate update question

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Sat, 23 Dec 2017 14:53:16 -0500

On 12/21/2017 5:21 PM, Dave S via curl-library wrote:
> <quote edited=true>
> The certificates for TBD Portal (tbd.tbdservice.com
> <http://tbd.tbdservice.com>) and MainTBD Portal (*.tbdservice.com
> <http://tbdservice.com>) will be updated Jan 17, 2018 due to Google’s
> plan to distrust certificates issued prior to 6/1/2016 under the
> Symantec infrastructure.  Please install the new certificate on your
> systems before the renewal date and test your integrations in TBD
> before Feb 14, 2018.
> </quote>
>
> I don't see anything I have to do on my development systems -- the
> browser should handle the certificate update for me, right?  But on
> many of the systems where my code is deployed, there is no reason to
> expect the users to view  web pages from that server, so the browser
> won't have a need to update those certs.  I currently don't do
> anything explicit about certs, letting libcurl find the system
> defaults.  Do I need to take action, and if so ... what?  Or will it
> all get worked out for me behind the curtain?

There's not enough information to tell. Basically if the SSL library
libcurl is using doesn't have the CA that TBD is going to use for the
new certificate then libcurl wouldn't be able to successfully connect to
the server. Contact the company and ask them what CA they are going to
use to sign the certificate.

Next focus on what CA bundle/database/directory location libcurl is
using. Sometimes you can see that by enabling verbose mode. If your
program specified a database using CAINFO or CAPATH then check there.
Otherwise check the default location set at build-time. It may or may
not be using a location that is updated by your operating system, that
is up to you to determine. If the CA is missing in an OS-maintained
location you will need to find out if the OS plans to add it. If not
then you're on your own to do that.

Please let us know what happens for the benefit of anyone who may find
themselves in a similar situation.

Also: This makes me think of a more likely break scenario where some
servers just aren't going to change their certificate, and Mozilla and
Google (and MS and Apple?) remove the Symantec CA certs from their
bundle and that trickles down, and libcurl is using one of those
OS-updated bundles.

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-12-23