From d003f6e125f5587594d453b6c2001f056c214c29 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 9 Aug 2004 07:02:51 +0000 Subject: mention the new cool CA extraction way just documented --- docs/SSLCERTS | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) (limited to 'docs/SSLCERTS') diff --git a/docs/SSLCERTS b/docs/SSLCERTS index 7ac7f8e77..a46006266 100644 --- a/docs/SSLCERTS +++ b/docs/SSLCERTS @@ -1,15 +1,13 @@ Peer SSL Certificate Verification ================================= -Since version 7.10, libcurl performs peer SSL certificate verification by -default. This is done by installing a default CA cert bundle on 'make install' -(or similar), that CA bundle package is used by default on operations against -SSL servers. +libcurl performs peer SSL certificate verification by default. This is done by +installing a default CA cert bundle on 'make install' (or similar), that CA +bundle package is used by default on operations against SSL servers. -Alas, if you communicate with HTTPS servers using certificates that are signed -by CAs present in the bundle, you will not notice any changed behavior and you -will seamlessly get a higher security level on your SSL connections since you -can be sure that the remote server really is the one it claims to be. +If you communicate with HTTPS or FTPS servers using certificates that are +signed by CAs present in the bundle, you can be sure that the remote server +really is the one it claims to be. If the remote server uses a self-signed certificate, if you don't install curl's CA cert bundle, if the server uses a certificate signed by a CA that @@ -47,6 +45,12 @@ server, do one of the following: 4. Windows Directory (e.g. C:\windows) 5. all directories along %PATH% + 4. Get a better/different/newer CA cert bundle! One option is to extract the + one a recent Mozilla browser uses, by following the instruction found + here: + + http://curl.haxx.se/docs/caextract.html + Neglecting to use one of the above methods when dealing with a server using a certificate that isn't signed by one of the certificates in the installed CA cert bundle, will cause SSL to report an error ("certificate verify failed") -- cgit v1.2.3