Re: curl and certificate verification in jessie

To: Tollef Fog Heen <tfheen@err.no>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, pkg-gnutls-maint@lists.alioth.debian.org, debian-devel@lists.debian.org, Alessandro Ghedini <ghedo@debian.org>
Subject: Re: curl and certificate verification in jessie
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Fri, 5 Dec 2014 14:28:51 +0000
Message-id: <[🔎] 21633.49443.311723.492653@chiark.greenend.org.uk>
In-reply-to: <[🔎] 87vblr2nk8.fsf@xoog.err.no>
References: <20141129121020.GY20561@anguilla.noreply.org> <20141129142616.GA4585@kronk> <87iohv65ck.fsf_-_@xoog.err.no> <[🔎] 20141201185025.GA24649@kronk> <[🔎] 87oarngjv0.fsf@aexonyam.err.no> <[🔎] 21632.32933.499745.697099@chiark.greenend.org.uk> <[🔎] 54809171.9060501@fifthhorseman.net> <[🔎] 87vblr2nk8.fsf@xoog.err.no>

Tollef Fog Heen writes ("Re: curl and certificate verification in jessie"):
> ]] Daniel Kahn Gillmor 
> > Unfortunately, this is quite a subtle API change, and it's not clear how
> > to do it safely or sanely.
> 
> For curl, it sounds like a simple curl_set_option(CURL_SSL_EE_CERT,…)
> call or similar would make sense and then expose that to the command
> line too.  If I do curl --tls-ee-certs=somefile.crt https://www…;, I
> probably don't care if somefile.crt has a subjectAltName for alioth or
> google.

That's all very well, but we can't sensibly retrofit this option to
all existing callers of curl who directly supply EE certificates.

We could have jessie's curl unconditionally supply this option, since
curl doesn't itself have any way to "accept" certificates in this
sense and it seems unlikely that someone has written a browser which
works by forking curl.

But what about all the other callers of curl ?  I'm thinking
particularly of LWP::UserAgent et al.

Ian.

Reply to:

Follow-Ups:
- Re: curl and certificate verification in jessie
  - From: Jakub Wilk <jwilk@debian.org>

References:
- Re: curl and certificate verification in jessie
  - From: Alessandro Ghedini <ghedo@debian.org>
- Re: curl and certificate verification in jessie
  - From: Tollef Fog Heen <tfheen@err.no>
- Re: curl and certificate verification in jessie
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: curl and certificate verification in jessie
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Re: curl and certificate verification in jessie
  - From: Tollef Fog Heen <tfheen@err.no>

Prev by Date: Bug#772138: ITP: sngrep -- Ncurses SIP Messages flow viewer
Next by Date: Re: curl and certificate verification in jessie
Previous by thread: Re: curl and certificate verification in jessie
Next by thread: Re: curl and certificate verification in jessie
Index(es):
- Date
- Thread