FreeBSD Port: curl-7.18.0
Jeremy Chadwick
koitsu at FreeBSD.org
Wed Aug 20 22:28:39 UTC 2008
On Wed, Aug 20, 2008 at 02:12:38PM -0700, Pete Stephenson wrote:
> curl maintainer,
>
> I was in contact with my web host to inquire if their installation of
> curl from the FreeBSD Ports could include the Mozilla CA bundle. I am
> attempting to use curl to connect to a site using the StartCom SSL CA
> (http://www.startssl.com/), which is included with the Mozilla bundle,
> but evidently not with the default CA bundle included with curl. As
> such, my use of curl meets with errors relating to the fact that it
> doesn't recognize the CA.
>
> I asked that they include the bundle in their installation, but they
> said, "That would require us to manually update the installed list on
> each and every one of our machines after each and every curl update.
> Curl updates very frequently and we have a lot of machines, so that is
> simply not feasible."
Sounds to me like an incredibly lazy hosting provider, especially if
this is a service you're paying for. It is their responsibility to
provide what their customers want -- software updates are part of
providing a hosting service. (I know, because I've done it for the past
15 years.)
> They suggested that I contact the port maintainer and ask if you could
> alter the port of curl to use the Mozilla CA bundle automatically.
> Evidently this is quite common with Linux distributions. If this were
> the case, all of the host's systems would pick up the change automatically.
But they'd have to update all of their curl software, and they have a
lot of machines, so this is simply not feasible. ;-) (Seriously, what
they're telling you here directly conflicts with what they said above.
Hosting providers these days never cease to amaze me...)
> Additionally, my host suggested, "It may be worth mentioning to
> him/her/it that the Mozilla CA list is already available on FreeBSD in
> PEM format as security/ca_root_nss, so it may be as simple as adding a
> port dependency and changing src/lib/ca-bundle.h."
>
> Is it possible to include the Mozilla CA bundle with curl?
This is really something the curl author(s) should address, not FreeBSD.
The CA list *comes with curl*, not with FreeBSD.
In the meantime, you should be able to use the --capath or --cacert
options with curl, pointing it to a copy of the Mozilla CA on the local
system, to work around said qualms. We do this at my place of
employment for our own CAs.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-ports
mailing list