Is curl the good tool

Michael Wojcik Michael.Wojcik at microfocus.com
Wed Apr 26 20:03:41 UTC 2023


> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of
> Viktor Dukhovni
> Sent: Wednesday, 26 April, 2023 13:51
> 
> On Wed, Apr 26, 2023 at 07:34:10PM +0000, Michael Wojcik via openssl-
> users wrote:
> 
> > > My question: if curl is working fine, can'I conclude my Apache
> configuration and my certificates are fine ?
> >
> > If you didn't build curl yourself, there's no easy way to know what
> > options were used when compiling it; but I believe by default it does
> > not attempt to validate the peer's certificate chain. You have to use
> > options such as --cacert or --capath to do basic validation, --crlfile
> > to check against a CRL, --cert-status to check OCSP stapling if the
> > peer provides it, and so on.
> 
> This is not accurate.  Curl will do WebPKI certificate verification by default, and
> fail hard when the certificate does not match.  To get unvalidated "https"
> connections, the "-k" option is required to opt out of validation.

Sorry, my mistake. I see now from the curl documentation that it has a collection of trust anchors it ships with.

Since the OP is either using a private CA or self-signed entity certificates (it's not clear from the original message), curl's stock set of trust anchors obviously shouldn't work for verifying their server. But the OP didn't provide a curl command line so it's not clear what tests were performed.

-- 
Michael Wojcik


More information about the openssl-users mailing list