Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Has the time come to drop NSS?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Howard Chu via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 21 Feb 2022 13:46:05 +0000
Michael Stahl via curl-library wrote:
> On 20/02/2022 14.18, Cristian RodrÃguez wrote:
>> You can add a trusted CA before the handshake takes place..so no. it
>> is ot the case.
>
> this is not entirely satisfying.
>
> ideally we do not really want to be in the business of deciding for the user which CAs they do or do not trust.
>
> we can easily make this decision Somebody Else's Problem on Windows and
> macOS by using the system TLS stack, at least with curl.
>
> do you know if it's possible to initialize OpenSSL in such a way that it
> reads a trust database from the operating system, and do that centrally
> for the whole process?
>
> if we would need to patch 4 bundled libraries separately to get
> this effect i would be rather sad.
>
> but this could be helpful, in case such a database can be conveniently located on every distro...
Seems that most distros use /etc/ssl/certs. You can also provide an openssl.cnf file to specify paths.
>
> i think we already have this with NSS by using NSS_InitReadWrite().
Date: Mon, 21 Feb 2022 13:46:05 +0000
Michael Stahl via curl-library wrote:
> On 20/02/2022 14.18, Cristian RodrÃguez wrote:
>> You can add a trusted CA before the handshake takes place..so no. it
>> is ot the case.
>
> this is not entirely satisfying.
>
> ideally we do not really want to be in the business of deciding for the user which CAs they do or do not trust.
>
> we can easily make this decision Somebody Else's Problem on Windows and
> macOS by using the system TLS stack, at least with curl.
>
> do you know if it's possible to initialize OpenSSL in such a way that it
> reads a trust database from the operating system, and do that centrally
> for the whole process?
>
> if we would need to patch 4 bundled libraries separately to get
> this effect i would be rather sad.
>
> but this could be helpful, in case such a database can be conveniently located on every distro...
Seems that most distros use /etc/ssl/certs. You can also provide an openssl.cnf file to specify paths.
>
> i think we already have this with NSS by using NSS_InitReadWrite().
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2022-02-21