Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Curl thinks SSL cert for code.jquery.com has expired

From: Felipe Gasper via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 1 Jun 2020 18:25:21 -0400

It’s the Sectigo (fka Comodo) “AddTrust” root certificate, which just expired on Saturday.

The standard root bundle includes a “UserTrust” root certificate that’s signed by that AddTrust certificate, and the presence of that certificate in the root bundle should obviate any need for the AddTrust root, but apparently OpenSSL is failing the validation because of the expired AddTrust root even though UserTrust is a trusted root.

More details about the Sectigo side:
https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT

-F

> On Jun 1, 2020, at 4:57 PM, Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se> wrote:
>
> On Mon, 1 Jun 2020, Mark Rogers via curl-library wrote:
>
>> Using curl on macOS 10.15.4
>
> ...
>
>> Is this a LibreSSL issue?
>
> Yes. This is a LibreSSL issue, also found in OpenSSL before 1.1.0, in all versions of GnuTLS and probably in some other TLS libs too.
>
> From my understanding, the issue seems to be that these libraries have flaws and beleive there's a problem with an expired cert, even though there is another trust chain that doesn't include the expired cert.
>
> --
>
> / daniel.haxx.se | Commercial curl support up to 24x7 is available!
> | Private help, bug fixes, support, ports, new features
> | https://www.wolfssl.com/contact/
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-06-02