[Help-gnutls] Re: Certificate verification failed

[Daniel Stenberg]

On Thu, 27 Oct 2005, Simon Josefsson wrote:

>> as you can assume I would have to more or less unconditionally enable them 
>> for libcurl, since as you just saw: official CA certs out of our control 
>> clearly are using such algorithms.
>
> How about only enabling use of MD2/MD5 when --insecure is used?

Now we're drifting off-topic for this list, but the meaning of the existing 
curl option --insecure is to completetly disable serve CA cert verifying, so I 
can't use that...

Besides, there is no --insecure option to the library libcurl (the command 
line option modifies two options in the library) and even if I certainly could 
introduce an option for this purpose, I'd hesitate to do so. Mostly because:

  A) libcurl users will want to be able to use publicly available CA certs such
     as the Debian one and thus they will want to have MD2/MD5 enabled in a
     very large extent (my assumption)

  B) OpenSSL supports MD2/MD5 out of the box and when people switch
     libcurl-openssl to libcurl-gnutls they want them to provide the same
     feature set, as closely as possible.

  C) OpenSSL doesn't have an option to disable these algorithms, AFAIK.
     My (new) ambition in libcurl is to provide an SSL-layer agnostic API that
     should make apps able to use libcurl identically and with the same
     functionality independent of what SSL-layer it has been built to use.

There are many (I don't know the exact number) packages in Debian that depend 
on libcurl-openssl and judging from public statements, Debian aims to move 
them all over to libcurl-gnutls.

I know all this are headaches of the libcurl project and not really concerning 
the GnuTLS project. I'm mainly filling in some info here to give you guys a 
background on why I ask all these questions and stuff. I'll shutup about this 
now on this list.

-- 
          -=- Daniel Stenberg -=- http://daniel.haxx.se -=-
   ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol