Thank you. That has helped me a great deal..
> It is not about Windows and Unix at all. It is about curl behaving slightly
> different depending on which TLS backend it is built with and told to use.
Absolutely, I was being sloppy. For the record I should state that I was
enquiring specifically about the SChannel backend.
Having explicitly tested them I must confirm that on Windows, curl built
against LibreSSL and curl built against OpenSSL both behave
as I (wrongly) ascribed to "Unix".
Your answer has allowed me to clarify my thoughts significantly.
Is this a fair statement:
"Opinions differ as to what is correct and curl delegates this behaviour to the
SSL backend of your choice. Multiple backend are
available on multiple platforms and you should chose the one which fits your
requirements and/or understanding of the spec".
I can work with that.
> > Additionally I'll observe that the curl code only ever inspects the first
> > cert chain presented. I don't know if this matters, but it would seem to
> > argue that cross signing certificates might be problematic.
>
> I don't believe that is generally true. We get countless of questions from
> people that get errors from curl when servers don't present their intermediate
> certificate - a quite common server setup mistake.
I'm sorry, I didn't explain myself clearly. I was referring not to the
certificates in the chain presented to the client, but
rather the option (present at an API level) for a client to be presented with
multiple chains. But let me poke at this in my
sandbox and if there is anything interesting we can discuss it in a PR which
feels like a better place to be discussing such
minutae.
Thanks again
Rod
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
