diff options
Diffstat (limited to 'docs')
-rw-r--r-- | docs/SSLCERTS | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/docs/SSLCERTS b/docs/SSLCERTS new file mode 100644 index 000000000..a17b33a6c --- /dev/null +++ b/docs/SSLCERTS @@ -0,0 +1,39 @@ + Peer SSL Certificate Verification + ================================= + +Starting in 7.10, libcurl performs peer SSL certificate verification by +default. This is done by installing a default CA cert bundle on 'make install' +(or similar), that CA bundle package is used by default on operations against +SSL servers. + +Alas, if you communicate with HTTPS servers using certificates that are signed +by CAs present in the bundle, you will not notice any changed behavior and you +will seamlessly get a higher security level on your SSL connections since you +can be sure that the remote server really is the one it claims to be. + +If the remote server uses a self-signed certificate, or if you don't install +curl's CA cert bundle or if it uses a certificate signed by a CA that isn't +included in the bundle, then you need to do one of the following: + + 1. Tell libcurl to *not* verify the peer. With libcurl you disable with with + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); + + With the curl command tool, you disable this with -k/--insecure. + + 2. Get a CA certificate that can verify the remote server and use the proper + option to point out this CA cert for verification when connecting. For + libcurl hackers: curl_easy_setopt(curl, CURLOPT_CAPATH, capath); + + With the curl command tool: --cacert [file] + +Neglecting to use one of the above menthods when dealing with a server using a +certficate that isn't signed by one of the certficates in the installed CA +cert bundle, will cause SSL to report an error ("certificate verify failed") +during the handshake and SSL will then refuse further communication with that +server. + +This procedure has been deemed The Right Thing even though it adds this extra +trouble for some users, since it adds security to a majority of the SSL +connections that previously weren't really secure. It turned out many people +were using previous versions of curl/libcurl without realizing the need for +the CA cert options to get truly secure SSL connections. |