diff options
-rw-r--r-- | UPGRADE | 34 |
1 files changed, 0 insertions, 34 deletions
diff --git a/UPGRADE b/UPGRADE deleted file mode 100644 index c5e36c26b..000000000 --- a/UPGRADE +++ /dev/null @@ -1,34 +0,0 @@ -Upgrading to curl/libcurl 7.10 from any previous version -======================================================== - -libcurl 7.10 performs peer SSL certificate verification by default. This is -done by installing a default CA cert bundle on 'make install' (or similar), -that CA bundle package is used by default on operations against SSL servers. - -Alas, if you communicate with HTTPS servers using certifcates that are signed -by CAs present in the bundle, you will not notice any changed behavior and you -will seeminglessly get a higher security level on your SSL connections since -can be sure that the remote server really is the one it claims to be. - -If the remote server uses a self-signed certificate, or if you don't install -curl's CA cert bundle or if it uses a certificate signed by a CA that isn't -included in the bundle, then you need to do one of the following: - - 1. Tell libcurl to *not* verify the peer. With libcurl you disable with with - curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); - - With the curl command tool, you disable this with -k/--insecure. - - 2. Get a CA certificate that can verify the remote server and use the proper - option to point out this CA cert for verification when connecting. For - libcurl hackers: curl_easy_setopt(curl, CURLOPT_CAPATH, capath); - - With the curl command tool: --cacert [file] - -This upgrade procedure has been deemed The Right Thing even though it adds -this extra trouble for some users, since it adds security to a majority of the -SSL connections that previously weren't really secure. - -It turned out many people were using previous versions of curl/libcurl without -realizing the need for the CA cert options to get truly secure SSL -connections. |