On Thu, 3 Mar 2016, Jothi Kanth wrote:
We use the certificate at https://curl.haxx.se/ca/cacert.pem to verify the ssl certificates of the url's we are hitting. But there seems to be some missing certificates in the recently released cacert.pem file on Jan 20th. So we are not able to verify some of the websites. Is this expected? Please let me know.
It is expected that you will only get certificates verified if the CA cert is in the bundle, yes. So if you use such a certificate store against a SSL/TLS server using a certificate signed by another CA or with a cert otherwise not present, then curl won't know it is fine.
Using a CA cert bundle is a question about trust. That bundle is simply a conversion of the bundle Mozilla provides - the ones they trust. It doesn't mean that those CAs are the same set of CAs you trust.
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
