moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-08-13 17:03:50 -04:00
Code Issues Releases Wiki Activity

docs/SSL-PROBLEMS: enhanced

Browse Source 
Elaborate on the intermediate cert issue, and mention that anything
below TLS 1.2 is generally considered insecure these days.

Closes #6572
This commit is contained in:
Daniel Stenberg 2021-02-05 10:50:51 +01:00
parent 666743a204
commit 82551c1308
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
docs/SSL-PROBLEMS.md
View File

@ -23,8 +23,18 @@
## CA bundle missing intermediate certificates
When using said CA bundle to verify a server cert, you will experience
problems if your CA cert does not have the certificates for the
intermediates in the whole trust chain.
problems if your CA store does not contain the certificates for the
intermediates if the server doesn't provide them.
The TLS protocol mandates that the intermediate certificates are sent in the
handshake, but as browsers have ways to survive or work around such
omissions, missing intermediates in TLS handshakes still happen that
browser-users won't notice.
Browsers work around this problem in two ways: they cache intermediate
certificates from previous transfers and some implement the TLS "AIA"
extension that lets the client explictly download such cerfificates on
demand.
## Protocol version
@ -36,7 +46,8 @@
An additional complication can be that modern SSL libraries sometimes are
built with support for older SSL and TLS versions disabled!
All versions of SSL are considered insecure and should be avoided. Use TLS.
All versions of SSL and the TLS versions before 1.2 are considered insecure
and should be avoided. Use TLS 1.2 or later.
## Ciphers