1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-12 04:25:08 -05:00

docs/SSL-PROBLEMS: enhanced

Elaborate on the intermediate cert issue, and mention that anything
below TLS 1.2 is generally considered insecure these days.

Closes #6572
This commit is contained in:
Daniel Stenberg 2021-02-05 10:50:51 +01:00
parent 666743a204
commit 82551c1308
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -23,8 +23,18 @@
## CA bundle missing intermediate certificates
When using said CA bundle to verify a server cert, you will experience
problems if your CA cert does not have the certificates for the
intermediates in the whole trust chain.
problems if your CA store does not contain the certificates for the
intermediates if the server doesn't provide them.
The TLS protocol mandates that the intermediate certificates are sent in the
handshake, but as browsers have ways to survive or work around such
omissions, missing intermediates in TLS handshakes still happen that
browser-users won't notice.
Browsers work around this problem in two ways: they cache intermediate
certificates from previous transfers and some implement the TLS "AIA"
extension that lets the client explictly download such cerfificates on
demand.
## Protocol version
@ -36,7 +46,8 @@
An additional complication can be that modern SSL libraries sometimes are
built with support for older SSL and TLS versions disabled!
All versions of SSL are considered insecure and should be avoided. Use TLS.
All versions of SSL and the TLS versions before 1.2 are considered insecure
and should be avoided. Use TLS 1.2 or later.
## Ciphers