- We're no longer providing a very old ca-bundle in the curl tarball. You can

                                  Changelog

                                  Changelog

Daniel S (18 Feb 2008)

- We're no longer providing a very old ca-bundle in the curl tarball. You can

  get a fresh one downloaded and created with 'make ca-bundle' or you can get

  one from here => http://curl.haxx.se/docs/caextract.html if you want a fresh

  new one extracted from Mozilla's recent list of ca certs.

  The configure option --with-ca-bundle now lets you specify what file to use

  as default ca bundle for your build. If not specified, the configure script

  will check a few known standard places for a global ca cert to use.

Daniel S (17 Feb 2008)

Daniel S (17 Feb 2008)

- Jerome Muffat-Meridol helped me fix Curl_done() to close the current

- Jerome Muffat-Meridol helped me fix Curl_done() to close the current

  connection by force when it was called before the entire request is

  connection by force when it was called before the entire request is

 o added support for HttpOnly cookies

 o added support for HttpOnly cookies

 o 'make ca-bundle' downloads and generates an updated ca bundle file

 o 'make ca-bundle' downloads and generates an updated ca bundle file

 o we no longer distribute or install a ca cert bundle

This release includes the following bugfixes:

This release includes the following bugfixes:

#                            | (__| |_| |  _ <| |___

#                            | (__| |_| |  _ <| |___

#                             \___|\___/|_| \_\_____|

#                             \___|\___/|_| \_\_____|

#

#

# Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al.

# Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.

#

#

# This software is licensed as described in the file COPYING, which

# This software is licensed as described in the file COPYING, which

# you should have received as part of this distribution. The terms

# you should have received as part of this distribution. The terms

  esac

  esac

])

])

dnl CURL_CHECK_CA_BUNDLE

dnl -------------------------------------------------

dnl Check if a default ca-bundle should be used

dnl

dnl regarding the paths this will scan:

dnl /etc/ssl/certs/ca-certificates.crt Debian systems

dnl /etc/pki/tls/certs/ca-bundle.crt Redhat and Mandriva

dnl /usr/share/ssl/certs/ca-bundle.crt old(er) Redhat

AC_DEFUN([CURL_CHECK_CA_BUNDLE], [

  AC_MSG_CHECKING([default CA cert bundle])

  AC_ARG_WITH(ca-bundle,

AC_HELP_STRING([--with-ca-bundle=FILE], [File name to use as CA bundle])

AC_HELP_STRING([--without-ca-bundle], [Don't use a default CA bundle]),

  [ ca="$withval" ],

  [

    dnl the path we previously would have installed the curl ca bundle

    dnl to, and thus we now check for an already existing cert in that place

    dnl in case we find no other

    if test "x$prefix" != xNONE; then

      cac="\${prefix}/share/curl/curl-ca-bundle.crt"

    else

      cac="$ac_default_prefix/share/curl/curl-ca-bundle.crt"

    fi

    for a in /etc/ssl/certs/ca-certificates.crt \

             /etc/pki/tls/certs/ca-bundle.crt \

             /usr/share/ssl/certs/ca-bundle.crt \

             "$cac"; do

      if test -f $a; then

        ca="$a"

        break

      fi

    done

    ]

  )

  if test "x$ca" != "xno"; then

    CURL_CA_BUNDLE='"'$ca'"'

    AC_SUBST(CURL_CA_BUNDLE)

  fi

  AC_MSG_RESULT([$ca])

])

dnl Check for the CA bundle

dnl Check for the CA bundle

dnl **********************************************************************

dnl **********************************************************************

if test X"$SSL_ENABLED" != "X"; then

CURL_CHECK_CA_BUNDLE

  AC_MSG_CHECKING([CA cert bundle install path])

  AC_ARG_WITH(ca-bundle,

AC_HELP_STRING([--with-ca-bundle=FILE], [File name to install the CA bundle as])

AC_HELP_STRING([--without-ca-bundle], [Don't install the CA bundle]),

    [ ca="$withval" ],

    [

      if test "x$prefix" != xNONE; then

        ca="\${prefix}/share/curl/curl-ca-bundle.crt"

      else

        ca="$ac_default_prefix/share/curl/curl-ca-bundle.crt"

      fi

    ] )

    if test "x$ca" != "xno"; then

      CURL_CA_BUNDLE='"'$ca'"'

      AC_SUBST(CURL_CA_BUNDLE)

    fi

    AC_MSG_RESULT([$ca])

fi dnl only done if some kind of SSL was enabled

AM_CONDITIONAL(CABUNDLE, test x$ca != xno)

AM_CONDITIONAL(CABUNDLE, test x$ca != xno)

                      Peer SSL Certificate Verification

                      Peer SSL Certificate Verification

                      =================================

                      =================================

libcurl performs peer SSL certificate verification by default. This is done by

libcurl performs peer SSL certificate verification by default.  This is done

installing a default CA cert bundle on 'make install' (or similar), that CA

by using CA cert bundle that the SSL library can use to make sure the peer's

bundle package is used by default on operations against SSL servers.

server certificate is valid.

If you communicate with HTTPS or FTPS servers using certificates that are

If you communicate with HTTPS or FTPS servers using certificates that are

signed by CAs present in the bundle, you can be sure that the remote server

signed by CAs present in the bundle, you can be sure that the remote server

really is the one it claims to be.

really is the one it claims to be.

If the remote server uses a self-signed certificate, if you don't install

Until 7.18.0, curl bundled a severely outdated ca bundle file that was

curl's CA cert bundle, if the server uses a certificate signed by a CA that

installed by default. These days, the curl archives include no ca certs at

isn't included in the bundle or if the remote host is an impostor

all. You need to get them elsewhere. See below for example.

If the remote server uses a self-signed certificate, if you don't install a CA

cert bundle, if the server uses a certificate signed by a CA that isn't

included in the bundle you use or if the remote host is an impostor

impersonating your favorite site, and you want to transfer files from this

impersonating your favorite site, and you want to transfer files from this

server, do one of the following:

server, do one of the following:

    With the curl command line tool: --cacert [file]

    With the curl command line tool: --cacert [file]

 3. Add the CA cert for your server to the existing default CA cert bundle.

 3. Add the CA cert for your server to the existing default CA cert bundle.

    The default path of the CA bundle installed with the curl package is:

    The default path of the CA bundle used can be changed by running configure

    /usr/local/share/curl/curl-ca-bundle.crt, which can be changed by running

    with the --with-ca-bundle option pointing out the path of your choice.

    configure with the --with-ca-bundle option pointing out the path of your

    choice.

    To do this, you need to get the CA cert for your server in PEM format and

    To do this, you need to get the CA cert for your server in PEM format and

    then append that to your CA cert bundle.

    then append that to your CA cert bundle.

     o Append the 'outcert.pem' to the CA cert bundle or use it stand-alone

     o Append the 'outcert.pem' to the CA cert bundle or use it stand-alone

       as described below.

       as described below.

     (Thanks to Frankie V for this description)

    If you use the 'openssl' tool, this is one way to get extract the CA cert

    If you use the 'openssl' tool, this is one way to get extract the CA cert

    for a particular server:

    for a particular server:

       cert_bundle or use it stand-alone as described. Just remember that the

       cert_bundle or use it stand-alone as described. Just remember that the

       security is no better than the way you obtained the certificate.

       security is no better than the way you obtained the certificate.

     (Thanks to Doug Kaufman for this description)

 4. If you're using the curl command line tool, you can specify your own CA

 4. If you're using the curl command line tool, you can specify your own CA

    cert path by setting the environment variable CURL_CA_BUNDLE to the path

    cert path by setting the environment variable CURL_CA_BUNDLE to the path

    of your choice.

    of your choice.