forwarded 628697 http://curl.haxx.se/mail/lib-2011-12/0163.html kthxbye
On Tue, May 31, 2011 at 02:46:57PM +0200, Vincent Lefevre wrote: > Package: curl > Version: 7.21.6-1 > Severity: normal > > The default certificates are ignored when the --capath option is used > (either as a command-line argument or in the .curlrc file). I wonder > whether this is intentional, but the status of default certificates > is not documented in the curl(1) man page. > > For instance: > > ypig:~> curl --capath ~/wd/config/cacert https://bugs.freedesktop.org/ > curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed > More details here: http://curl.haxx.se/docs/sslcerts.html > > curl performs SSL certificate verification by default, using a "bundle" > of Certificate Authority (CA) public keys (CA certs). If the default > bundle file isn't adequate, you can specify an alternate file > using the --cacert option. > If this HTTPS server uses a certificate signed by a CA represented in > the bundle, the certificate verification probably failed due to a > problem with the certificate (it might be expired, or the name might > not match the domain name in the URL). > If you'd like to turn off curl's verification of the certificate, use > the -k (or --insecure) option. > > Moreover this seems to be a Debian-specific bug, as I don't have this > problem under Mac OS X (with the same contents of ~/wd/config/cacert). I think that ignoring the default value is the correct behaviour. IMO it is the same as providing multiple --capath options (the latest is used). Also, I do not know of Mac OS X, but AFAICT the Fedora/Red Hat packages have the same behaviour. Anyway, I have submitted a patch upstream to improve the documentation of the --capath option. > It seems that one can use several directories separated by a ":", but > this is not documented in the man page. Added this too to the patch. I am not sure about the additional feature though, let's fix the missing documentation first. Cheers -- perl -E'$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse' -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
