Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Does cURL accept a CA that is not self signed?

From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 29 Nov 2019 09:02:30 +0100 (CET)

On Thu, 28 Nov 2019, Jeffrey Walton wrote:

> Are folks using the Let's Encrypt X3 ca certificate, or the CA Zoo with 137
> ca's?

I don't think you'll gain many bonus points here for using "funny" terms for
established concepts.

I'm convinced most people use a full fledged "CA store" for their curl
operations just as they do with their browsers.

> If it is the CA Zoo, then folks have exponentially increased their attack
> surface. I still remember Diginotar [0,1], and more recently companies like
> Symantec issuing certificates for domains they had no administrative or
> relationship with or operational control over [2].

Sure, but the CA world has also improved quite significantly since then with
CT, CAA and more which makes such attacks and mistakes much harder to do now
without getting caught really quickly.

> No. I'm only using the Let's Encrypt X3 ca certificate. I only use the CA
> needed for the end entity certificate at hand.

Right, but that is an intermediate cert and not a root cert if I understand
things correctly so you're asking curl to verify a partial cert "chain".

My Let's Encrypt sites have their certs chained like this:

  - ISRG Root X1
   - Let's Encrypt Authority X3
    - [my site]

[from another mail]

> It looks like X509_V_FLAG_PARTIAL_CHAIN was discussed before for cURL, but I
> could not tell where it ended

I was never merged. From the look of it because nobody argued for it and could
motivate properly for *why* we would need it so it just faded into oblivion.

"It would fix my problems" isn't strong enough. I will admit that I'm not sure
I personally can fully assess the security implications of setting that bit.
But yes, it seems other TLS libraries already have that behavior by default. 

-- 
  / daniel.haxx.se | Get the best commercial curl support there is - from me
                   | Private help, bug fixes, support, ports, new features
                   | https://www.wolfssl.com/contact/
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2019-11-29