Re: Does cURL accept a CA that is not self signed?

On Fri, Nov 29, 2019 at 7:07 AM Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Fri, 29 Nov 2019, Jeffrey Walton wrote:
> ...
> I take your long email was a funny way to say: "I want curl to be okay with
> partial cert chains with OpenSSL since it doesn't impose any additional
> security problem and other TLS libraries/backends already support that" ?

Well spoken, sir.

For the common case, do nothing. Leave cURL the way it is. That
captures the 95%'ers.

For folks who prefer to specify a trust anchor, provide us with an
option like CURLOPT_TRUSTANCHOR. Accept my list of CA(s). When cURL
encounters the option, add X509_V_FLAG_PARTIAL_CHAIN to the OpenSSL
context options.

GnuTLS backend silently accepts CURLOPT_TRUSTANCHOR since that is
default behavior.

On older OpenSSL without X509_V_FLAG_PARTIAL_CHAIN,
CURLOPT_TRUSTANCHOR should probably return an error.

Jeff
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-11-29