aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2002-11-11 22:37:59 +0000
committerDaniel Stenberg <daniel@haxx.se>2002-11-11 22:37:59 +0000
commit16f9755e73accca617690dbd272261f7cf0da1be (patch)
treebf962e72ec11cb3a5c7c73869d96105e9e45011e
parent66eb98bb0a3d171b91c77f8a536011f6b25c1adc (diff)
UPGRADE was renamed into this "SSLCERTS"
-rw-r--r--SSLCERTS34
1 files changed, 34 insertions, 0 deletions
diff --git a/SSLCERTS b/SSLCERTS
new file mode 100644
index 000000000..c5e36c26b
--- /dev/null
+++ b/SSLCERTS
@@ -0,0 +1,34 @@
+Upgrading to curl/libcurl 7.10 from any previous version
+========================================================
+
+libcurl 7.10 performs peer SSL certificate verification by default. This is
+done by installing a default CA cert bundle on 'make install' (or similar),
+that CA bundle package is used by default on operations against SSL servers.
+
+Alas, if you communicate with HTTPS servers using certifcates that are signed
+by CAs present in the bundle, you will not notice any changed behavior and you
+will seeminglessly get a higher security level on your SSL connections since
+can be sure that the remote server really is the one it claims to be.
+
+If the remote server uses a self-signed certificate, or if you don't install
+curl's CA cert bundle or if it uses a certificate signed by a CA that isn't
+included in the bundle, then you need to do one of the following:
+
+ 1. Tell libcurl to *not* verify the peer. With libcurl you disable with with
+ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
+
+ With the curl command tool, you disable this with -k/--insecure.
+
+ 2. Get a CA certificate that can verify the remote server and use the proper
+ option to point out this CA cert for verification when connecting. For
+ libcurl hackers: curl_easy_setopt(curl, CURLOPT_CAPATH, capath);
+
+ With the curl command tool: --cacert [file]
+
+This upgrade procedure has been deemed The Right Thing even though it adds
+this extra trouble for some users, since it adds security to a majority of the
+SSL connections that previously weren't really secure.
+
+It turned out many people were using previous versions of curl/libcurl without
+realizing the need for the CA cert options to get truly secure SSL
+connections.