FreeBSD Port: curl-7.18.0

Jeremy Chadwick koitsu at
Wed Aug 20 22:28:39 UTC 2008

On Wed, Aug 20, 2008 at 02:12:38PM -0700, Pete Stephenson wrote:
> curl maintainer,
> I was in contact with my web host to inquire if their installation of
> curl from the FreeBSD Ports could include the Mozilla CA bundle. I am
> attempting to use curl to connect to a site using the StartCom SSL CA
> (, which is included with the Mozilla bundle,
> but evidently not with the default CA bundle included with curl. As
> such, my use of curl meets with errors relating to the fact that it
> doesn't recognize the CA.
> I asked that they include the bundle in their installation, but they
> said, "That would require us to manually update the installed list on
> each and every one of our machines after each and every curl update.
> Curl updates very frequently and we have a lot of machines, so that is
> simply not feasible."

Sounds to me like an incredibly lazy hosting provider, especially if
this is a service you're paying for.  It is their responsibility to
provide what their customers want -- software updates are part of
providing a hosting service.  (I know, because I've done it for the past
15 years.)

> They suggested that I contact the port maintainer and ask if you could
> alter the port of curl to use the Mozilla CA bundle automatically.
> Evidently this is quite common with Linux distributions. If this were
> the case, all of the host's systems would pick up the change automatically.

But they'd have to update all of their curl software, and they have a
lot of machines, so this is simply not feasible.  ;-)  (Seriously, what
they're telling you here directly conflicts with what they said above.
Hosting providers these days never cease to amaze me...)

> Additionally, my host suggested, "It may be worth mentioning to
> him/her/it that the Mozilla CA list is already available on FreeBSD in
> PEM format as security/ca_root_nss, so it may be as simple as adding a
> port dependency and changing src/lib/ca-bundle.h."
> Is it possible to include the Mozilla CA bundle with curl?

This is really something the curl author(s) should address, not FreeBSD.
The CA list *comes with curl*, not with FreeBSD.

In the meantime, you should be able to use the --capath or --cacert
options with curl, pointing it to a copy of the Mozilla CA on the local
system, to work around said qualms.  We do this at my place of
employment for our own CAs.

| Jeremy Chadwick                                jdc at |
| Parodius Networking              |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-ports mailing list