[Help-gnutls] Re: Certificate verification failed
daniel at haxx.se
Fri Oct 28 10:41:33 CEST 2005
On Thu, 27 Oct 2005, Simon Josefsson wrote:
>> as you can assume I would have to more or less unconditionally enable them
>> for libcurl, since as you just saw: official CA certs out of our control
>> clearly are using such algorithms.
> How about only enabling use of MD2/MD5 when --insecure is used?
Now we're drifting off-topic for this list, but the meaning of the existing
curl option --insecure is to completetly disable serve CA cert verifying, so I
can't use that...
Besides, there is no --insecure option to the library libcurl (the command
line option modifies two options in the library) and even if I certainly could
introduce an option for this purpose, I'd hesitate to do so. Mostly because:
A) libcurl users will want to be able to use publicly available CA certs such
as the Debian one and thus they will want to have MD2/MD5 enabled in a
very large extent (my assumption)
B) OpenSSL supports MD2/MD5 out of the box and when people switch
libcurl-openssl to libcurl-gnutls they want them to provide the same
feature set, as closely as possible.
C) OpenSSL doesn't have an option to disable these algorithms, AFAIK.
My (new) ambition in libcurl is to provide an SSL-layer agnostic API that
should make apps able to use libcurl identically and with the same
functionality independent of what SSL-layer it has been built to use.
There are many (I don't know the exact number) packages in Debian that depend
on libcurl-openssl and judging from public statements, Debian aims to move
them all over to libcurl-gnutls.
I know all this are headaches of the libcurl project and not really concerning
the GnuTLS project. I'm mainly filling in some info here to give you guys a
background on why I ask all these questions and stuff. I'll shutup about this
now on this list.
-=- Daniel Stenberg -=- http://daniel.haxx.se -=-
ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
More information about the Gnutls-help