From 64bbe9dfafc6693a96b742f3133c636385835a19 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 2 Sep 2002 22:31:18 +0000 Subject: James Gallagher's Content-Encoding work --- UPGRADE | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 UPGRADE (limited to 'UPGRADE') diff --git a/UPGRADE b/UPGRADE new file mode 100644 index 000000000..38d9679c5 --- /dev/null +++ b/UPGRADE @@ -0,0 +1,34 @@ +Upgrading to curl/libcurl 7.10 from any previous version +======================================================== + +libcurl 7.10 performs peer SSL certificate verification by default. This is +done by installing a default CA cert bundle on 'make install' (or similar), +that is used by default on operations against SSL servers. + +Alas, if you use communicate with HTTPS servers using certifcates that are +signed by CAs present in the bundle, you will not notice and changed behavior +and you will seeminglessly get a higher security level on your SSL connections +since you will make sure that the remote server really is who it claims to be. + +If the remote server uses a self-signed certificate, or if you don't install +curl's CA cert bundle or if it uses a certificate signed by a CA that isn't +included in the bundle, then you need to do one of the following: + + 1. Tell libcurl to *not* verify the peer. With libcurl you disable with with + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); + + With the curl command tool, you disable this with -k/--insecure. + + 2. Get a CA certificate that can verify the remote server and use the proper + option to point out this CA cert for verification when connecting. For + libcurl hackers: curl_easy_setopt(curl, CURLOPT_CAPATH, capath); + + With the curl command tool: --cacert [file] + +This upgrade procedure has been deemed The Right Thing even though it adds +this extra trouble for some users, since it adds security to a majority of the +SSL connections that previously weren't really secure. + +It turned out many people were using previous versions of curl/libcurl without +realizing the need for the CA cert options to get truly secure SSL +connections. -- cgit v1.2.3