Date: Tue, 20 Dec 2011 10:10:46 -0800
From: Dan Fandrich<[email protected]>
To: [email protected]
Subject: Re: Support for openssl trusted_first flag
Message-ID:<[email protected]>
Content-Type: text/plain; charset=us-ascii
On Tue, Dec 20, 2011 at 05:47:11PM +0000, Robert Foreman wrote:
Openssl defines a flag, -trusted_first, which causes it to verify
certificates using a trusted certificate store, even if an untrusted
store is also available. This is described in a patch at
<http://marc.info/?l=openssl-cvs&m=126710063626226>.
I've created a patch for cURL that adds a --trusted_first flag,
allowing (lib)curl to use this openssl functionality.
Is there any reason to make this configurable at run-time rather than having
it enabled all the time?
I made the patch in order to fix a problem I was having with a
certificate chain, and I wanted to be able to turn the feature on and
off quickly while I did some tests. Also, it mirrors the way the flag is
used in openssl itself. I think it would be useful to allow some
flexibility, whether it's at run-time or configure or somewhere else.
(The particular problem I was having, for context, was a certificate
that can be verified by two different roots, one sent by the server and
one in the CA bundle. The flag allows us to choose which root is
preferred over the other.)
Rob
--
Rob Foreman
BBC Future Media & Technology
D221 Centre House, 56 Wood Lane, LONDON W12 7SB
+44 303 040 9587
[email protected]
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
