mirror of
https://github.com/moparisthebest/curl
synced 2024-12-21 23:58:49 -05:00
UPGRADE was renamed into this "SSLCERTS"
This commit is contained in:
parent
66eb98bb0a
commit
16f9755e73
34
SSLCERTS
Normal file
34
SSLCERTS
Normal file
@ -0,0 +1,34 @@
|
||||
Upgrading to curl/libcurl 7.10 from any previous version
|
||||
========================================================
|
||||
|
||||
libcurl 7.10 performs peer SSL certificate verification by default. This is
|
||||
done by installing a default CA cert bundle on 'make install' (or similar),
|
||||
that CA bundle package is used by default on operations against SSL servers.
|
||||
|
||||
Alas, if you communicate with HTTPS servers using certifcates that are signed
|
||||
by CAs present in the bundle, you will not notice any changed behavior and you
|
||||
will seeminglessly get a higher security level on your SSL connections since
|
||||
can be sure that the remote server really is the one it claims to be.
|
||||
|
||||
If the remote server uses a self-signed certificate, or if you don't install
|
||||
curl's CA cert bundle or if it uses a certificate signed by a CA that isn't
|
||||
included in the bundle, then you need to do one of the following:
|
||||
|
||||
1. Tell libcurl to *not* verify the peer. With libcurl you disable with with
|
||||
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
|
||||
|
||||
With the curl command tool, you disable this with -k/--insecure.
|
||||
|
||||
2. Get a CA certificate that can verify the remote server and use the proper
|
||||
option to point out this CA cert for verification when connecting. For
|
||||
libcurl hackers: curl_easy_setopt(curl, CURLOPT_CAPATH, capath);
|
||||
|
||||
With the curl command tool: --cacert [file]
|
||||
|
||||
This upgrade procedure has been deemed The Right Thing even though it adds
|
||||
this extra trouble for some users, since it adds security to a majority of the
|
||||
SSL connections that previously weren't really secure.
|
||||
|
||||
It turned out many people were using previous versions of curl/libcurl without
|
||||
realizing the need for the CA cert options to get truly secure SSL
|
||||
connections.
|
Loading…
Reference in New Issue
Block a user