From e3e8d0204b72509cfd63d97a159d1ac3fdea703b Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 10 Apr 2017 17:40:30 +0200 Subject: nss: load libnssckbi.so if no other trust is specified The module contains a more comprehensive set of trust information than supported by nss-pem, because libnssckbi.so also includes information about distrusted certificates. Reviewed-by: Kai Engert Closes #1414 --- docs/libcurl/opts/CURLOPT_CAINFO.3 | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'docs/libcurl') diff --git a/docs/libcurl/opts/CURLOPT_CAINFO.3 b/docs/libcurl/opts/CURLOPT_CAINFO.3 index 127b90443..43a4901f0 100644 --- a/docs/libcurl/opts/CURLOPT_CAINFO.3 +++ b/docs/libcurl/opts/CURLOPT_CAINFO.3 @@ -40,6 +40,11 @@ is assumed to be stored, as established at build time. If curl is built against the NSS SSL library, the NSS PEM PKCS#11 module (libnsspem.so) needs to be available for this option to work properly. +Starting with curl-7.55.0, if both \fICURLOPT_CAINFO(3)\fP and +\fICURLOPT_CAPATH(3)\fP are unset, NSS-linked libcurl tries to load +libnssckbi.so, which contains a more comprehensive set of trust information +than supported by nss-pem, because libnssckbi.so also includes information +about distrusted certificates. (iOS and macOS only) If curl is built against Secure Transport, then this option is supported for backward compatibility with other SSL engines, but it -- cgit v1.2.3