curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Does cURL accept a CA that is not self signed?

From: Jeffrey Walton via curl-library <>
Date: Fri, 29 Nov 2019 09:08:12 -0500

On Fri, Nov 29, 2019 at 7:07 AM Daniel Stenberg <> wrote:
> On Fri, 29 Nov 2019, Jeffrey Walton wrote:
> ...
> I take your long email was a funny way to say: "I want curl to be okay with
> partial cert chains with OpenSSL since it doesn't impose any additional
> security problem and other TLS libraries/backends already support that" ?

Well spoken, sir.

For the common case, do nothing. Leave cURL the way it is. That
captures the 95%'ers.

For folks who prefer to specify a trust anchor, provide us with an
option like CURLOPT_TRUSTANCHOR. Accept my list of CA(s). When cURL
encounters the option, add X509_V_FLAG_PARTIAL_CHAIN to the OpenSSL
context options.

GnuTLS backend silently accepts CURLOPT_TRUSTANCHOR since that is
default behavior.

On older OpenSSL without X509_V_FLAG_PARTIAL_CHAIN,
CURLOPT_TRUSTANCHOR should probably return an error.

Received on 2019-11-29