cURL / Mailing Lists / curl-library / Single Mail

curl-library

Support for openssl trusted_first flag

From: Ryan Schmidt <curl-2015_at_ryandesign.com>
Date: Tue, 26 May 2015 02:05:59 -0500

Hello,

Some time ago the idea was brought up to use openssl's new -trusted_first / X509_V_FLAG_TRUSTED_FIRST mode; a patch was provided:

http://curl.haxx.se/mail/lib-2011-12/0223.html

This issue came up for MacPorts recently:

https://trac.macports.org/ticket/47805

It looks like -trusted_first / X509_V_FLAG_TRUSTED_FIRST didn't actually get into openssl until version 1.0.2 released in March 2015. But now that it is, other software is starting to use it. For example python 2.7.10 was released to use this option:

http://bugs.python.org/issue23476

I am not an expert in this matters, having just found out about the issue, but it seems like it is important for curl to use this mode, or at least give the user the option to use this mode, otherwise some valid certificates are seen as invalid.

-Ryan

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-05-26

This message: [ Message body ]
Next message: Daniel Stenberg: "2015 curl user poll analysis"
Previous message: Vincas.Razma_at_bentley.com: "RE: Adding CURL handles to running CURLM"
Next in thread: Daniel Stenberg: "Re: Support for openssl trusted_first flag"
Reply: Daniel Stenberg: "Re: Support for openssl trusted_first flag"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]