curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Does cURL accept a CA that is not self signed?

From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 29 Nov 2019 09:02:30 +0100 (CET)

On Thu, 28 Nov 2019, Jeffrey Walton wrote:

> Are folks using the Let's Encrypt X3 ca certificate, or the CA Zoo with 137
> ca's?

I don't think you'll gain many bonus points here for using "funny" terms for
established concepts.

I'm convinced most people use a full fledged "CA store" for their curl
operations just as they do with their browsers.

> If it is the CA Zoo, then folks have exponentially increased their attack
> surface. I still remember Diginotar [0,1], and more recently companies like
> Symantec issuing certificates for domains they had no administrative or
> relationship with or operational control over [2].

Sure, but the CA world has also improved quite significantly since then with
CT, CAA and more which makes such attacks and mistakes much harder to do now
without getting caught really quickly.

> No. I'm only using the Let's Encrypt X3 ca certificate. I only use the CA
> needed for the end entity certificate at hand.

Right, but that is an intermediate cert and not a root cert if I understand
things correctly so you're asking curl to verify a partial cert "chain".

My Let's Encrypt sites have their certs chained like this:

  - ISRG Root X1
   - Let's Encrypt Authority X3
    - [my site]

[from another mail]

> It looks like X509_V_FLAG_PARTIAL_CHAIN was discussed before for cURL, but I
> could not tell where it ended

I was never merged. From the look of it because nobody argued for it and could
motivate properly for *why* we would need it so it just faded into oblivion.

"It would fix my problems" isn't strong enough. I will admit that I'm not sure
I personally can fully assess the security implications of setting that bit.
But yes, it seems other TLS libraries already have that behavior by default.

-- 
  / daniel.haxx.se | Get the best commercial curl support there is - from me
                   | Private help, bug fixes, support, ports, new features
                   | https://www.wolfssl.com/contact/
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2019-11-29