diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2003-07-23 11:38:19 +0000 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2003-07-23 11:38:19 +0000 |
| commit | 789ab20bf783fa86149a665efb8a120ee9205c71 (patch) | |
| tree | 595edce16be4770afd86453e8e59d4de859b8474 /SSLCERTS | |
| parent | b47462bd68e5bfe8c168a38507bf46190e79ffae (diff) | |
moved SSLCERTS into the docs/ directory
Diffstat (limited to 'SSLCERTS')
| -rw-r--r-- | SSLCERTS | 39 |
1 files changed, 0 insertions, 39 deletions
diff --git a/SSLCERTS b/SSLCERTS deleted file mode 100644 index a17b33a6c..000000000 --- a/SSLCERTS +++ /dev/null @@ -1,39 +0,0 @@ - Peer SSL Certificate Verification - ================================= - -Starting in 7.10, libcurl performs peer SSL certificate verification by -default. This is done by installing a default CA cert bundle on 'make install' -(or similar), that CA bundle package is used by default on operations against -SSL servers. - -Alas, if you communicate with HTTPS servers using certificates that are signed -by CAs present in the bundle, you will not notice any changed behavior and you -will seamlessly get a higher security level on your SSL connections since you -can be sure that the remote server really is the one it claims to be. - -If the remote server uses a self-signed certificate, or if you don't install -curl's CA cert bundle or if it uses a certificate signed by a CA that isn't -included in the bundle, then you need to do one of the following: - - 1. Tell libcurl to *not* verify the peer. With libcurl you disable with with - curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); - - With the curl command tool, you disable this with -k/--insecure. - - 2. Get a CA certificate that can verify the remote server and use the proper - option to point out this CA cert for verification when connecting. For - libcurl hackers: curl_easy_setopt(curl, CURLOPT_CAPATH, capath); - - With the curl command tool: --cacert [file] - -Neglecting to use one of the above menthods when dealing with a server using a -certficate that isn't signed by one of the certficates in the installed CA -cert bundle, will cause SSL to report an error ("certificate verify failed") -during the handshake and SSL will then refuse further communication with that -server. - -This procedure has been deemed The Right Thing even though it adds this extra -trouble for some users, since it adds security to a majority of the SSL -connections that previously weren't really secure. It turned out many people -were using previous versions of curl/libcurl without realizing the need for -the CA cert options to get truly secure SSL connections. |