curl and certificate verification in jessie

Ian Jackson ijackson at
Fri Dec 5 14:28:51 UTC 2014

Tollef Fog Heen writes ("Re: curl and certificate verification in jessie"):
> ]] Daniel Kahn Gillmor 
> > Unfortunately, this is quite a subtle API change, and it's not clear how
> > to do it safely or sanely.
> For curl, it sounds like a simple curl_set_option(CURL_SSL_EE_CERT,…)
> call or similar would make sense and then expose that to the command
> line too.  If I do curl --tls-ee-certs=somefile.crt https://www…, I
> probably don't care if somefile.crt has a subjectAltName for alioth or
> google.

That's all very well, but we can't sensibly retrofit this option to
all existing callers of curl who directly supply EE certificates.

We could have jessie's curl unconditionally supply this option, since
curl doesn't itself have any way to "accept" certificates in this
sense and it seems unlikely that someone has written a browser which
works by forking curl.

But what about all the other callers of curl ?  I'm thinking
particularly of LWP::UserAgent et al.


More information about the Pkg-gnutls-maint mailing list