Re: curl and certificate verification in jessie

To: Tollef Fog Heen <tfheen@err.no>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, pkg-gnutls-maint@lists.alioth.debian.org, debian-devel@lists.debian.org, Alessandro Ghedini <ghedo@debian.org>
Subject: Re: curl and certificate verification in jessie
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Sat, 27 Jun 2015 00:23:48 +0100
Message-id: <[🔎] 21901.57092.251321.252793@chiark.greenend.org.uk>
In-reply-to: <87vblr2nk8.fsf@xoog.err.no>
References: <20141129121020.GY20561@anguilla.noreply.org> <20141129142616.GA4585@kronk> <87iohv65ck.fsf_-_@xoog.err.no> <20141201185025.GA24649@kronk> <87oarngjv0.fsf@aexonyam.err.no> <21632.32933.499745.697099@chiark.greenend.org.uk> <54809171.9060501@fifthhorseman.net> <87vblr2nk8.fsf@xoog.err.no>

It looks like nothing got done about this :-(.

Is there any (GPL-compatible) TLS HTTP client library or tool in
jessie which allows me to specify explicitly the expected End Entity
certificate ?

At the moment I'm using curl and wget.  I was using --cacert=blah
--capath=/dev/null and it did DTRT some time ago but now doesn't.

In the meantime I'm going to have to make the whole thing rely on
ca-certificates.  The result is that our internal infrastructure (dgit
in this case) is going to be (entirely needlessly) vulnerable to
security failures in the X.509 CA cabal.

Ian.

Reply to:

Prev by Date: Re: GooString
Next by Date: GID collab-maint or scm_collab-maint on alioth git
Previous by thread: Bug#790031: ITP: fcitx-zhuyin -- Fcitx wrapper for Zhuyin library
Next by thread: GID collab-maint or scm_collab-maint on alioth git
Index(es):
- Date
- Thread