diff options
author | Daniel Stenberg <daniel@haxx.se> | 2004-08-09 07:02:51 +0000 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2004-08-09 07:02:51 +0000 |
commit | d003f6e125f5587594d453b6c2001f056c214c29 (patch) | |
tree | 7ddb89317b3a22b74debfb08a82987f04747e153 /docs/SSLCERTS | |
parent | 1dfff2487f617443adc9be5b8acd35d64139fae7 (diff) |
mention the new cool CA extraction way just documented
Diffstat (limited to 'docs/SSLCERTS')
-rw-r--r-- | docs/SSLCERTS | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/docs/SSLCERTS b/docs/SSLCERTS index 7ac7f8e77..a46006266 100644 --- a/docs/SSLCERTS +++ b/docs/SSLCERTS @@ -1,15 +1,13 @@ Peer SSL Certificate Verification ================================= -Since version 7.10, libcurl performs peer SSL certificate verification by -default. This is done by installing a default CA cert bundle on 'make install' -(or similar), that CA bundle package is used by default on operations against -SSL servers. +libcurl performs peer SSL certificate verification by default. This is done by +installing a default CA cert bundle on 'make install' (or similar), that CA +bundle package is used by default on operations against SSL servers. -Alas, if you communicate with HTTPS servers using certificates that are signed -by CAs present in the bundle, you will not notice any changed behavior and you -will seamlessly get a higher security level on your SSL connections since you -can be sure that the remote server really is the one it claims to be. +If you communicate with HTTPS or FTPS servers using certificates that are +signed by CAs present in the bundle, you can be sure that the remote server +really is the one it claims to be. If the remote server uses a self-signed certificate, if you don't install curl's CA cert bundle, if the server uses a certificate signed by a CA that @@ -47,6 +45,12 @@ server, do one of the following: 4. Windows Directory (e.g. C:\windows) 5. all directories along %PATH% + 4. Get a better/different/newer CA cert bundle! One option is to extract the + one a recent Mozilla browser uses, by following the instruction found + here: + + http://curl.haxx.se/docs/caextract.html + Neglecting to use one of the above methods when dealing with a server using a certificate that isn't signed by one of the certificates in the installed CA cert bundle, will cause SSL to report an error ("certificate verify failed") |