Re: Does cURL accept a CA that is not self signed?

Fri, 29 Nov 2019 00:08:41 -0800 

On Thu, 28 Nov 2019, Jeffrey Walton wrote:
Are folks using the Let's Encrypt X3 ca certificate, or the CA Zoo with 137 ca's? 


I don't think you'll gain many bonus points here for using "funny" terms for 
established concepts.



I'm convinced most people use a full fledged "CA store" for their curl 
operations just as they do with their browsers.



If it is the CA Zoo, then folks have exponentially increased their attack 
surface. I still remember Diginotar [0,1], and more recently companies like 
Symantec issuing certificates for domains they had no administrative or 
relationship with or operational control over [2].



Sure, but the CA world has also improved quite significantly since then with 
CT, CAA and more which makes such attacks and mistakes much harder to do now 
without getting caught really quickly.



No. I'm only using the Let's Encrypt X3 ca certificate. I only use the CA 
needed for the end entity certificate at hand.



Right, but that is an intermediate cert and not a root cert if I understand 
things correctly so you're asking curl to verify a partial cert "chain".


My Let's Encrypt sites have their certs chained like this:

 - ISRG Root X1
  - Let's Encrypt Authority X3
   - [my site]

[from another mail]


It looks like X509_V_FLAG_PARTIAL_CHAIN was discussed before for cURL, but I 
could not tell where it ended



I was never merged. From the look of it because nobody argued for it and could 
motivate properly for *why* we would need it so it just faded into oblivion.



"It would fix my problems" isn't strong enough. I will admit that I'm not sure 
I personally can fully assess the security implications of setting that bit. 
But yes, it seems other TLS libraries already have that behavior by default.


--

 / daniel.haxx.se | Get the best commercial curl support there is - from me
                  | Private help, bug fixes, support, ports, new features
                  | https://www.wolfssl.com/contact/
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html





















					Reply via email to