cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: /etc/ssl/certs/ instead of curl-ca-bundle.crt by default

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 6 Feb 2008 18:28:01 +0100 (CET)

On Wed, 6 Feb 2008, Michal Marek wrote:

> I occasionally get requests to change the openSUSE libcurl package to use
> openssl's /etc/ssl/certs/ instead of curl's own curl-ca-bundle.crt by
> default (the win would be in having one certificate selection less in the
> system).

I would recommend that as well (although I would probably go with the CA
bundle used by Mozilla/Firefox like this:
http://curl.haxx.se/docs/caextract.html). The CA cert bundle that we ship is
so old and outdated it becomes less and less useful over time...

> Are there any side-effects to think about when changing it? One possible
> side-effect is that setting CURLOPT_CAINFO from within an application won't
> unset the now default CURLOPT_CAPATH. Dunno how much it than an issue.
> Anything else? Is it a good / bad idea?

I believe at least Debian and Ubuntu are already doing this, and I think
Fedora is doing something similar (although NSS-based these days). I've not
seen any critical downsides with this.

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html
Received on 2008-02-06