aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/FAQ33
-rw-r--r--lib/ca-bundle.crt42
2 files changed, 63 insertions, 12 deletions
diff --git a/docs/FAQ b/docs/FAQ
index 66c926de9..36a6791fe 100644
--- a/docs/FAQ
+++ b/docs/FAQ
@@ -1,4 +1,4 @@
-Updated: Dec 10, 2007 (http://curl.haxx.se/docs/faq.html)
+Updated: Feb 7, 2008 (http://curl.haxx.se/docs/faq.html)
_ _ ____ _
___| | | | _ \| |
/ __| | | | |_) | |
@@ -18,6 +18,7 @@ FAQ
1.8 I have a problem who do I mail?
1.9 Where do I buy commercial support for curl?
1.10 How many are using curl?
+ 1.11 Why don't you update ca-bundle.crt
2. Install Related Problems
2.1 configure doesn't find OpenSSL even when it is installed
@@ -296,7 +297,7 @@ FAQ
as used by numerous applications that include libcurl binaries in their
distribution packages (like Adobe Acrobat Reader and Google Earth).
- More than 70 known named companies use curl in commercial environments and
+ More than 80 known named companies use curl in commercial environments and
products. More than 100 known named open source projects depend on
(lib)curl.
@@ -317,6 +318,34 @@ FAQ
http://counter.li.org/estimates.php
http://news.netcraft.com/archives/2005/03/14/fedora_makes_rapid_progress.html
+ 1.11 Why don't you update ca-bundle.crt
+
+ The ca-bundle.crt file is to be treated as an example file these days, as it
+ is very outdated (it being last modified year 2000 should tell) and should
+ be replaced with a much more modern and up-to-date version by anyone who
+ wants to verify peers.
+
+ In the cURL project we've decided not to attempt to keep this file updated
+ since deciding what to add to a ca cert bundle is an undertaking we've not
+ been ready to accept.
+
+ Today, with many services performed over HTTPS, every operating system
+ should come with a default ca cert bundle that can be deemed somewhat
+ trustworthy and that collection (if reasonably updated) should be deemed to
+ be a lot better than this old file.
+
+ If you want the most recent collection of ca certs that Mozilla Firefox uses
+ (which should be seen as the effictive successor of Netscape 4.72 from where
+ this particular bundle originates from), we recommend that you extract the
+ collection yourself from Mozilla Firefox, or by using our service setup for
+ this purpose: http://curl.haxx.se/docs/caextract.html
+
+ Due to the licensing of that particular file, we've decided to not simply
+ include that in the curl package/tree. It is of course arguable whether the
+ cacerts themselves actually are licensed under the Firefox's licenses but
+ until proven otherwise we will assume so and thus we avoid putting them in
+ any curl release/tarball.
+
2. Install Related Problems
diff --git a/lib/ca-bundle.crt b/lib/ca-bundle.crt
index d60b91110..6c0bec9eb 100644
--- a/lib/ca-bundle.crt
+++ b/lib/ca-bundle.crt
@@ -1,18 +1,40 @@
##
## $Id$
##
-## ca-bundle.crt -- Bundle of CA Root Certificates
-## Last Modified: Thu Mar 2 09:32:46 CET 2000
+## Last Modified: Thu Mar 2 09:32:46 CET 2000
+## (although we removed a cert from it in March 2003)
##
-## This is a bundle of X.509 certificates of public
-## Certificate Authorities (CA). These were automatically
-## extracted from Netscape Communicator 4.72's certificate database
-## (the file `cert7.db'). It contains the certificates in both
-## plain text and PEM format and therefore can be directly used
-## with an Apache+mod_ssl webserver for SSL client authentication.
-## Just configure this file as the SSLCACertificateFile.
+## This is a bundle of X.509 certificates of public Certificate Authorities
+## (CA). These were automatically extracted from Netscape Communicator 4.72's
+## certificate database (the file `cert7.db').
##
-## (SKIPME)
+## This file is to be treated as an example file these days, as it is very
+## outdated (it being last modified year 2000 should tell) and should be
+## replaced with a much more modern and up-to-date version.
+##
+## In the cURL project we've decided not to attempt to keep this file updated
+## since deciding what to add to a ca cert bundle is an undertaking we've not
+## been ready to accept.
+##
+## Today, with many services performed over HTTPS, every operating system
+## should come with a default ca cert bundle that can be deemed somewhat
+## trustworthy and that collection (if reasonably updated) should be deemed to
+## be a lot better than this old file.
+##
+## If you want the most recent collection of ca certs that Mozilla Firefox
+## uses (which should be seen as the effictive successor of Netscape 4.72 from
+## where this particular bundle originates from), we recommend that you
+## extract the collection yourself from Mozilla Firefox, or by using our
+## service setup for this purpose: http://curl.haxx.se/docs/caextract.html
+##
+## Due to the licensing of that particular file, we've decided to not simply
+## include that in the curl package/tree. It is of course arguable whether the
+## cacerts themselves actually are licensed under the Firefox's licenses but
+## until proven otherwise we will assume so and thus we avoid putting them in
+## any curl release/tarball.
+##
+## For more details on CA certs, how to use them with curl and a little about
+## what they're good for, see http://curl.haxx.se/docs/sslcerts.html
##
ABAecom (sub., Am. Bankers Assn.) Root CA