cURL
Haxx ad
libcurl
Mailing Lists

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker mailing list Archives

[ curl-Bugs-1884844 ] Upgrade ca-bundle.crt please

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Fri, 01 Feb 2008 15:31:10 -0800

Bugs item #1884844, was opened at 2008-02-01 12:41
Message generated for change (Comment added) made by dfandrich
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=1884844&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: SSL/TLS
Group: wrong content
Status: Closed
Resolution: Rejected
Priority: 5
Private: No
Submitted By: Dax (dkelson)
Assigned to: Daniel Stenberg (bagder)
Summary: Upgrade ca-bundle.crt please

Initial Comment:
Curl does SSL certificate verification by default by virtue of CURLOPT_SSL_VERIFYPEER.

Unfortunately the shipped lib/ca-bundle.crt is woefully outdated this means that curl and libcurl based apps routinely fail to connect to SSL sites with with certificates issued by modern CAs.

From curl 7.18.0's ca-bundle.crt:

## Last Modified: Thu Mar 2 09:32:46 CET 2000

## This is a bundle of X.509 certificates of public
## Certificate Authorities (CA). These were
## automatically extracted from Netscape Communicator
## 4.72's certificate database (the file `cert7.db').

That's when Bill Clinton was still president of the USA.

Please update from the Mozilla root CA list.

http://www.mozilla.org/projects/security/certs/

----------------------------------------------------------------------

>Comment By: Dan Fandrich (dfandrich)
Date: 2008-02-01 15:31

Message:
Logged In: YES
user_id=236775
Originator: NO

Duplicate of #1706732

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2008-02-01 13:28

Message:
Logged In: YES
user_id=1110
Originator: NO

The Mozilla bundle can be downloaded from the curl web site:

http://curl.haxx.se/docs/caextract.html

We can't use that due to licensing problems with it, and I've declined to
gather my own collection. If you're prepared to collect a ca cert bundle
with a lincense we can ship with curl I'll be happy.

Of course we can argue weather Mozilla really can license the certs like
this but since they have this is the current state and until changed I
don't feel we can use it.

All modern distributions are already providing updated ca-certs and the
one shipped with the curl sources should be seen as a mere example these
days.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=1884844&group_id=976
Received on 2008-02-02

These mail archives are generated by hypermail.

donate! Page updated November 12, 2010.
web site info

File upload with ASP.NET