Package: curl Version: 7.42.1-3 Severity: wishlist Hi,
Up to 7.42.1-3, libcurl3 (OpenSSL) and the curl binary would use the subject hash symlinks under /etc/ssl/certs for certificate verification. Debian commit a494ae19[1] changed the OpenSSL build to specify both --with-ca-path and --with-ca-bundle. According to SSL_CTX_LOAD_VERIFY_LOCATIONS(3SSL): When looking up CA certificates, the OpenSSL library will first search the certificates in CAfile, then those in CApath. The following illustrates the difference between a Stretch host: $ strace -etrace=file curl -s https://debian.org 2>&1 | grep ssl open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 4 and a Jessie host: $ strace -etrace=file curl -s https://debian.org 2>&1 | grep /etc/ssl stat("/etc/ssl/certs/2e5ac55d.0", {st_mode=S_IFREG|0644, st_size=1200, ...}) = 0 open("/etc/ssl/certs/2e5ac55d.0", O_RDONLY) = 5 stat("/etc/ssl/certs/2e5ac55d.1", 0x7ffdcf392220) = -1 ENOENT (No such file or directory) The former uses ca-certificates.crt, the latter uses the subject hash symlinks under /etc/ssl/certs. Note that this may lead to increased memory usage for applications using libcurl with multiple curl handles (this is how I found out :), as ca-certificates.crt is always loaded in memory and typically accounts for about 1MB per curl handle. In contrast, using the subject hash links loads only the required certificates in memory and only when they are needed. Please consider reverting that part of the commit and relying only on ca-path. Regards, Apollon P.S.: I did not investigate how GnuTLS behaves in this respect. [1] https://anonscm.debian.org/git/collab-maint/curl.git/commit/?id=a494ae1901f86e03ed631f6aa6b0bf0758e75e35