Date: Wed, 20 Aug 2008 15:28:38 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Pete Stephenson <pete@heypete.com> Cc: ports@FreeBSD.org, roam@FreeBSD.org Subject: Re: FreeBSD Port: curl-7.18.0 Message-ID: <20080820222838.GA59382@eos.sc1.parodius.com> In-Reply-To: <48AC88C6.1020802@heypete.com> References: <48AC88C6.1020802@heypete.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 20, 2008 at 02:12:38PM -0700, Pete Stephenson wrote: > curl maintainer, > > I was in contact with my web host to inquire if their installation of > curl from the FreeBSD Ports could include the Mozilla CA bundle. I am > attempting to use curl to connect to a site using the StartCom SSL CA > (http://www.startssl.com/), which is included with the Mozilla bundle, > but evidently not with the default CA bundle included with curl. As > such, my use of curl meets with errors relating to the fact that it > doesn't recognize the CA. > > I asked that they include the bundle in their installation, but they > said, "That would require us to manually update the installed list on > each and every one of our machines after each and every curl update. > Curl updates very frequently and we have a lot of machines, so that is > simply not feasible." Sounds to me like an incredibly lazy hosting provider, especially if this is a service you're paying for. It is their responsibility to provide what their customers want -- software updates are part of providing a hosting service. (I know, because I've done it for the past 15 years.) > They suggested that I contact the port maintainer and ask if you could > alter the port of curl to use the Mozilla CA bundle automatically. > Evidently this is quite common with Linux distributions. If this were > the case, all of the host's systems would pick up the change automatically. But they'd have to update all of their curl software, and they have a lot of machines, so this is simply not feasible. ;-) (Seriously, what they're telling you here directly conflicts with what they said above. Hosting providers these days never cease to amaze me...) > Additionally, my host suggested, "It may be worth mentioning to > him/her/it that the Mozilla CA list is already available on FreeBSD in > PEM format as security/ca_root_nss, so it may be as simple as adding a > port dependency and changing src/lib/ca-bundle.h." > > Is it possible to include the Mozilla CA bundle with curl? This is really something the curl author(s) should address, not FreeBSD. The CA list *comes with curl*, not with FreeBSD. In the meantime, you should be able to use the --capath or --cacert options with curl, pointing it to a copy of the Mozilla CA on the local system, to work around said qualms. We do this at my place of employment for our own CAs. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080820222838.GA59382>