From 789ab20bf783fa86149a665efb8a120ee9205c71 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 23 Jul 2003 11:38:19 +0000 Subject: moved SSLCERTS into the docs/ directory --- docs/SSLCERTS | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 docs/SSLCERTS (limited to 'docs/SSLCERTS') diff --git a/docs/SSLCERTS b/docs/SSLCERTS new file mode 100644 index 000000000..a17b33a6c --- /dev/null +++ b/docs/SSLCERTS @@ -0,0 +1,39 @@ + Peer SSL Certificate Verification + ================================= + +Starting in 7.10, libcurl performs peer SSL certificate verification by +default. This is done by installing a default CA cert bundle on 'make install' +(or similar), that CA bundle package is used by default on operations against +SSL servers. + +Alas, if you communicate with HTTPS servers using certificates that are signed +by CAs present in the bundle, you will not notice any changed behavior and you +will seamlessly get a higher security level on your SSL connections since you +can be sure that the remote server really is the one it claims to be. + +If the remote server uses a self-signed certificate, or if you don't install +curl's CA cert bundle or if it uses a certificate signed by a CA that isn't +included in the bundle, then you need to do one of the following: + + 1. Tell libcurl to *not* verify the peer. With libcurl you disable with with + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); + + With the curl command tool, you disable this with -k/--insecure. + + 2. Get a CA certificate that can verify the remote server and use the proper + option to point out this CA cert for verification when connecting. For + libcurl hackers: curl_easy_setopt(curl, CURLOPT_CAPATH, capath); + + With the curl command tool: --cacert [file] + +Neglecting to use one of the above menthods when dealing with a server using a +certficate that isn't signed by one of the certficates in the installed CA +cert bundle, will cause SSL to report an error ("certificate verify failed") +during the handshake and SSL will then refuse further communication with that +server. + +This procedure has been deemed The Right Thing even though it adds this extra +trouble for some users, since it adds security to a majority of the SSL +connections that previously weren't really secure. It turned out many people +were using previous versions of curl/libcurl without realizing the need for +the CA cert options to get truly secure SSL connections. -- cgit v1.2.1 From 5fe5de75117b180066798a7a2efb02c606e52465 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 16 Mar 2004 07:25:52 +0000 Subject: added the CA bundle default path, and mention the risk that the server you try to talk to may be an imposter --- docs/SSLCERTS | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'docs/SSLCERTS') diff --git a/docs/SSLCERTS b/docs/SSLCERTS index a17b33a6c..f9028c4b1 100644 --- a/docs/SSLCERTS +++ b/docs/SSLCERTS @@ -1,7 +1,7 @@ Peer SSL Certificate Verification ================================= -Starting in 7.10, libcurl performs peer SSL certificate verification by +Since version 7.10, libcurl performs peer SSL certificate verification by default. This is done by installing a default CA cert bundle on 'make install' (or similar), that CA bundle package is used by default on operations against SSL servers. @@ -11,9 +11,11 @@ by CAs present in the bundle, you will not notice any changed behavior and you will seamlessly get a higher security level on your SSL connections since you can be sure that the remote server really is the one it claims to be. -If the remote server uses a self-signed certificate, or if you don't install -curl's CA cert bundle or if it uses a certificate signed by a CA that isn't -included in the bundle, then you need to do one of the following: +If the remote server uses a self-signed certificate, if you don't install +curl's CA cert bundle, if the server uses a certificate signed by a CA that +isn't included in the bundle or if the remoste host is an imposter +impersonating your favourite site, and you want to transfer files from this +server, do one of the following: 1. Tell libcurl to *not* verify the peer. With libcurl you disable with with curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); @@ -37,3 +39,8 @@ trouble for some users, since it adds security to a majority of the SSL connections that previously weren't really secure. It turned out many people were using previous versions of curl/libcurl without realizing the need for the CA cert options to get truly secure SSL connections. + +The default path of the CA bundle installed with the curl package is: +/usr/local/share/curl/curl-ca-bundle.crt, which can be changed by running +configure with the --with-ca-bundle option pointing out the path of your +choice. -- cgit v1.2.1 From a7376968d2fac572a085d81bfac8b16e18e83d1e Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 30 Mar 2004 06:46:36 +0000 Subject: mention the fact that you can append a new CA cert to the existing bundle too --- docs/SSLCERTS | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'docs/SSLCERTS') diff --git a/docs/SSLCERTS b/docs/SSLCERTS index f9028c4b1..406083f41 100644 --- a/docs/SSLCERTS +++ b/docs/SSLCERTS @@ -28,6 +28,12 @@ server, do one of the following: With the curl command tool: --cacert [file] + 3. Add the CA cert for your server to the existing default CA cert bundle. + The default path of the CA bundle installed with the curl package is: + /usr/local/share/curl/curl-ca-bundle.crt, which can be changed by running + configure with the --with-ca-bundle option pointing out the path of your + choice. + Neglecting to use one of the above menthods when dealing with a server using a certficate that isn't signed by one of the certficates in the installed CA cert bundle, will cause SSL to report an error ("certificate verify failed") @@ -40,7 +46,3 @@ connections that previously weren't really secure. It turned out many people were using previous versions of curl/libcurl without realizing the need for the CA cert options to get truly secure SSL connections. -The default path of the CA bundle installed with the curl package is: -/usr/local/share/curl/curl-ca-bundle.crt, which can be changed by running -configure with the --with-ca-bundle option pointing out the path of your -choice. -- cgit v1.2.1 From 964066c0deec87e97771530a63c36d1aa3313eb8 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 29 Jun 2004 07:58:52 +0000 Subject: Added missing info for the command line tool, as noted by Mike Kienenberger --- docs/SSLCERTS | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) (limited to 'docs/SSLCERTS') diff --git a/docs/SSLCERTS b/docs/SSLCERTS index 406083f41..8c37987c1 100644 --- a/docs/SSLCERTS +++ b/docs/SSLCERTS @@ -20,13 +20,13 @@ server, do one of the following: 1. Tell libcurl to *not* verify the peer. With libcurl you disable with with curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); - With the curl command tool, you disable this with -k/--insecure. + With the curl command line tool, you disable this with -k/--insecure. 2. Get a CA certificate that can verify the remote server and use the proper option to point out this CA cert for verification when connecting. For libcurl hackers: curl_easy_setopt(curl, CURLOPT_CAPATH, capath); - With the curl command tool: --cacert [file] + With the curl command line tool: --cacert [file] 3. Add the CA cert for your server to the existing default CA cert bundle. The default path of the CA bundle installed with the curl package is: @@ -34,6 +34,19 @@ server, do one of the following: configure with the --with-ca-bundle option pointing out the path of your choice. + If you're using the curl command line tool, you can specify your own CA + cert path by setting the environment variable CURL_CA_BUNDLE to the path + of your choice. + + If you're using the curl command line toll on Windows, curl will search + for a CA cert file named "curl-ca-bundle.crt" in these directories and in + this order: + 1. application's directory + 2. current working directory + 3. Windows System directory (e.g. C:\windows\system32) + 4. Windows Directory (e.g. C:\windows) + 5. all directories along %PATH% + Neglecting to use one of the above menthods when dealing with a server using a certficate that isn't signed by one of the certficates in the installed CA cert bundle, will cause SSL to report an error ("certificate verify failed") @@ -45,4 +58,3 @@ trouble for some users, since it adds security to a majority of the SSL connections that previously weren't really secure. It turned out many people were using previous versions of curl/libcurl without realizing the need for the CA cert options to get truly secure SSL connections. - -- cgit v1.2.1 From d4b09994152f7db97bffb8782055fd57a3573dc1 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 29 Jun 2004 13:16:30 +0000 Subject: 'M-x ispell-buffer' --- docs/SSLCERTS | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'docs/SSLCERTS') diff --git a/docs/SSLCERTS b/docs/SSLCERTS index 8c37987c1..7ac7f8e77 100644 --- a/docs/SSLCERTS +++ b/docs/SSLCERTS @@ -13,8 +13,8 @@ can be sure that the remote server really is the one it claims to be. If the remote server uses a self-signed certificate, if you don't install curl's CA cert bundle, if the server uses a certificate signed by a CA that -isn't included in the bundle or if the remoste host is an imposter -impersonating your favourite site, and you want to transfer files from this +isn't included in the bundle or if the remote host is an impostor +impersonating your favorite site, and you want to transfer files from this server, do one of the following: 1. Tell libcurl to *not* verify the peer. With libcurl you disable with with @@ -38,7 +38,7 @@ server, do one of the following: cert path by setting the environment variable CURL_CA_BUNDLE to the path of your choice. - If you're using the curl command line toll on Windows, curl will search + If you're using the curl command line tool on Windows, curl will search for a CA cert file named "curl-ca-bundle.crt" in these directories and in this order: 1. application's directory @@ -47,8 +47,8 @@ server, do one of the following: 4. Windows Directory (e.g. C:\windows) 5. all directories along %PATH% -Neglecting to use one of the above menthods when dealing with a server using a -certficate that isn't signed by one of the certficates in the installed CA +Neglecting to use one of the above methods when dealing with a server using a +certificate that isn't signed by one of the certificates in the installed CA cert bundle, will cause SSL to report an error ("certificate verify failed") during the handshake and SSL will then refuse further communication with that server. -- cgit v1.2.1 From d003f6e125f5587594d453b6c2001f056c214c29 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 9 Aug 2004 07:02:51 +0000 Subject: mention the new cool CA extraction way just documented --- docs/SSLCERTS | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) (limited to 'docs/SSLCERTS') diff --git a/docs/SSLCERTS b/docs/SSLCERTS index 7ac7f8e77..a46006266 100644 --- a/docs/SSLCERTS +++ b/docs/SSLCERTS @@ -1,15 +1,13 @@ Peer SSL Certificate Verification ================================= -Since version 7.10, libcurl performs peer SSL certificate verification by -default. This is done by installing a default CA cert bundle on 'make install' -(or similar), that CA bundle package is used by default on operations against -SSL servers. +libcurl performs peer SSL certificate verification by default. This is done by +installing a default CA cert bundle on 'make install' (or similar), that CA +bundle package is used by default on operations against SSL servers. -Alas, if you communicate with HTTPS servers using certificates that are signed -by CAs present in the bundle, you will not notice any changed behavior and you -will seamlessly get a higher security level on your SSL connections since you -can be sure that the remote server really is the one it claims to be. +If you communicate with HTTPS or FTPS servers using certificates that are +signed by CAs present in the bundle, you can be sure that the remote server +really is the one it claims to be. If the remote server uses a self-signed certificate, if you don't install curl's CA cert bundle, if the server uses a certificate signed by a CA that @@ -47,6 +45,12 @@ server, do one of the following: 4. Windows Directory (e.g. C:\windows) 5. all directories along %PATH% + 4. Get a better/different/newer CA cert bundle! One option is to extract the + one a recent Mozilla browser uses, by following the instruction found + here: + + http://curl.haxx.se/docs/caextract.html + Neglecting to use one of the above methods when dealing with a server using a certificate that isn't signed by one of the certificates in the installed CA cert bundle, will cause SSL to report an error ("certificate verify failed") -- cgit v1.2.1 From c10196afc03b79d6a759f672342222d68b074c31 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 25 Aug 2004 08:09:48 +0000 Subject: Frankie V's description on how to get a CA cert for a random site using IE --- docs/SSLCERTS | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) (limited to 'docs/SSLCERTS') diff --git a/docs/SSLCERTS b/docs/SSLCERTS index a46006266..c4d940ae7 100644 --- a/docs/SSLCERTS +++ b/docs/SSLCERTS @@ -32,7 +32,25 @@ server, do one of the following: configure with the --with-ca-bundle option pointing out the path of your choice. - If you're using the curl command line tool, you can specify your own CA + To do this, you need to get the CA cert for your server in PEM format and + then append that to your CA cert bundle. + + If you use Internet Explorer, this is one way to get extract the CA cert + for a particular server: + + o View the certificate by double-clicking the padlock + o Find out where the CA certificate is kept (Certificate> + Authority Information Access>URL) + o Get a copy of the crt file using curl + o Convert it from crt to PEM using the openssl tool: + openssl x509 -inform DES -in yourdownloaded.crt \ + -out outcert.pem -text + o Append the 'outcert.pem' to the CA cert bundle or use it stand-alone + as described below. + + (Thanks to Frankie V for this description) + + 4. If you're using the curl command line tool, you can specify your own CA cert path by setting the environment variable CURL_CA_BUNDLE to the path of your choice. @@ -45,7 +63,7 @@ server, do one of the following: 4. Windows Directory (e.g. C:\windows) 5. all directories along %PATH% - 4. Get a better/different/newer CA cert bundle! One option is to extract the + 5. Get a better/different/newer CA cert bundle! One option is to extract the one a recent Mozilla browser uses, by following the instruction found here: @@ -56,9 +74,3 @@ certificate that isn't signed by one of the certificates in the installed CA cert bundle, will cause SSL to report an error ("certificate verify failed") during the handshake and SSL will then refuse further communication with that server. - -This procedure has been deemed The Right Thing even though it adds this extra -trouble for some users, since it adds security to a majority of the SSL -connections that previously weren't really secure. It turned out many people -were using previous versions of curl/libcurl without realizing the need for -the CA cert options to get truly secure SSL connections. -- cgit v1.2.1 From 73dd4501478cfd73edd4ff37af043044b838159f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sun, 12 Sep 2004 18:27:12 +0000 Subject: describes how you can extract the CA cert from a site using the openssl tool --- docs/SSLCERTS | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'docs/SSLCERTS') diff --git a/docs/SSLCERTS b/docs/SSLCERTS index c4d940ae7..3109cdd06 100644 --- a/docs/SSLCERTS +++ b/docs/SSLCERTS @@ -50,6 +50,22 @@ server, do one of the following: (Thanks to Frankie V for this description) + If you use the 'openssl' tool, this is one way to get extract the CA cert + for a particular server: + + o openssl s_client -connect xxxxx.com:443 |tee logfile + o type "QUIT", followed by the "ENTER" key + o The certificate will have "BEGIN CERTIFICATE" and "END CERTIFICATE" + markers. + o If you want to see the data in the certificate, you can do: "openssl + x509 -inform PEM -in certfile -text -out certdata" where certfile is + the cert you extracted from logfile. Look in certdata. + o If you want to trust the certificate, you can append it to your + cert_bundle or use it stand-alone as described. Just remember that the + security is no better than the way you obtained the certificate. + + (Thanks to Doug Kaufman for this description) + 4. If you're using the curl command line tool, you can specify your own CA cert path by setting the environment variable CURL_CA_BUNDLE to the path of your choice. -- cgit v1.2.1 From 1fd7085ef1d0e13ca56d9785dcfb5f3907eb362d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 8 Feb 2008 11:18:23 +0000 Subject: for step 5, mention that we can now generate an own version locally if wanted instead of downloading it from the curl site --- docs/SSLCERTS | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'docs/SSLCERTS') diff --git a/docs/SSLCERTS b/docs/SSLCERTS index 3109cdd06..6719eac21 100644 --- a/docs/SSLCERTS +++ b/docs/SSLCERTS @@ -80,8 +80,9 @@ server, do one of the following: 5. all directories along %PATH% 5. Get a better/different/newer CA cert bundle! One option is to extract the - one a recent Mozilla browser uses, by following the instruction found - here: + one a recent Mozilla browser uses by running 'make ca-bundle' in the curl + build tree root, or possibly download a version that was generated this + way for you: http://curl.haxx.se/docs/caextract.html -- cgit v1.2.1 From 339ebdf08b409fd74761472954b646889366d5d4 Mon Sep 17 00:00:00 2001 From: Gunter Knauf Date: Fri, 8 Feb 2008 21:04:24 +0000 Subject: fixed a typo. --- docs/SSLCERTS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/SSLCERTS') diff --git a/docs/SSLCERTS b/docs/SSLCERTS index 6719eac21..040bc7d3c 100644 --- a/docs/SSLCERTS +++ b/docs/SSLCERTS @@ -15,7 +15,7 @@ isn't included in the bundle or if the remote host is an impostor impersonating your favorite site, and you want to transfer files from this server, do one of the following: - 1. Tell libcurl to *not* verify the peer. With libcurl you disable with with + 1. Tell libcurl to *not* verify the peer. With libcurl you disable this with curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); With the curl command line tool, you disable this with -k/--insecure. -- cgit v1.2.1 From fb23b85770b72b25448a99108f80fc4d6b8e10ac Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 18 Feb 2008 11:35:12 +0000 Subject: - We're no longer providing a very old ca-bundle in the curl tarball. You can get a fresh one downloaded and created with 'make ca-bundle' or you can get one from here => http://curl.haxx.se/docs/caextract.html if you want a fresh new one extracted from Mozilla's recent list of ca certs. The configure option --with-ca-bundle now lets you specify what file to use as default ca bundle for your build. If not specified, the configure script will check a few known standard places for a global ca cert to use. --- docs/SSLCERTS | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) (limited to 'docs/SSLCERTS') diff --git a/docs/SSLCERTS b/docs/SSLCERTS index 040bc7d3c..059644083 100644 --- a/docs/SSLCERTS +++ b/docs/SSLCERTS @@ -1,17 +1,21 @@ Peer SSL Certificate Verification ================================= -libcurl performs peer SSL certificate verification by default. This is done by -installing a default CA cert bundle on 'make install' (or similar), that CA -bundle package is used by default on operations against SSL servers. +libcurl performs peer SSL certificate verification by default. This is done +by using CA cert bundle that the SSL library can use to make sure the peer's +server certificate is valid. If you communicate with HTTPS or FTPS servers using certificates that are signed by CAs present in the bundle, you can be sure that the remote server really is the one it claims to be. -If the remote server uses a self-signed certificate, if you don't install -curl's CA cert bundle, if the server uses a certificate signed by a CA that -isn't included in the bundle or if the remote host is an impostor +Until 7.18.0, curl bundled a severely outdated ca bundle file that was +installed by default. These days, the curl archives include no ca certs at +all. You need to get them elsewhere. See below for example. + +If the remote server uses a self-signed certificate, if you don't install a CA +cert bundle, if the server uses a certificate signed by a CA that isn't +included in the bundle you use or if the remote host is an impostor impersonating your favorite site, and you want to transfer files from this server, do one of the following: @@ -27,10 +31,8 @@ server, do one of the following: With the curl command line tool: --cacert [file] 3. Add the CA cert for your server to the existing default CA cert bundle. - The default path of the CA bundle installed with the curl package is: - /usr/local/share/curl/curl-ca-bundle.crt, which can be changed by running - configure with the --with-ca-bundle option pointing out the path of your - choice. + The default path of the CA bundle used can be changed by running configure + with the --with-ca-bundle option pointing out the path of your choice. To do this, you need to get the CA cert for your server in PEM format and then append that to your CA cert bundle. @@ -48,8 +50,6 @@ server, do one of the following: o Append the 'outcert.pem' to the CA cert bundle or use it stand-alone as described below. - (Thanks to Frankie V for this description) - If you use the 'openssl' tool, this is one way to get extract the CA cert for a particular server: @@ -64,8 +64,6 @@ server, do one of the following: cert_bundle or use it stand-alone as described. Just remember that the security is no better than the way you obtained the certificate. - (Thanks to Doug Kaufman for this description) - 4. If you're using the curl command line tool, you can specify your own CA cert path by setting the environment variable CURL_CA_BUNDLE to the path of your choice. -- cgit v1.2.1 From 681162510a18577955a0334fb08c2510535ef5d9 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 18 Aug 2009 19:51:18 +0000 Subject: the mozilla browser is called Firefox... --- docs/SSLCERTS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/SSLCERTS') diff --git a/docs/SSLCERTS b/docs/SSLCERTS index 059644083..a8ea9194b 100644 --- a/docs/SSLCERTS +++ b/docs/SSLCERTS @@ -78,7 +78,7 @@ server, do one of the following: 5. all directories along %PATH% 5. Get a better/different/newer CA cert bundle! One option is to extract the - one a recent Mozilla browser uses by running 'make ca-bundle' in the curl + one a recent Firefox browser uses by running 'make ca-bundle' in the curl build tree root, or possibly download a version that was generated this way for you: -- cgit v1.2.1 From 14a3f4cd54b9e2fb0c191ec94c7e9d67a035d556 Mon Sep 17 00:00:00 2001 From: Gunter Knauf Date: Mon, 21 Sep 2009 23:00:12 +0000 Subject: added section for libcurl builds with NSS SSL support. --- docs/SSLCERTS | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'docs/SSLCERTS') diff --git a/docs/SSLCERTS b/docs/SSLCERTS index a8ea9194b..2ace720c2 100644 --- a/docs/SSLCERTS +++ b/docs/SSLCERTS @@ -89,3 +89,28 @@ certificate that isn't signed by one of the certificates in the installed CA cert bundle, will cause SSL to report an error ("certificate verify failed") during the handshake and SSL will then refuse further communication with that server. + + Peer SSL Certificate Verification with NSS + ========================================== + +If libcurl is build with NSS support then depending on the OS distribution it +is probably required to take some additional steps to use the system-wide CA +cert db. RedHat ships with an additional module libnsspem.so which enables NSS +to read the OpenSSL PEM CA bundle. With OpenSuSE this lib is missing, and NSS +can only work with its own internal formats. Also NSS got a new database +format: +https://wiki.mozilla.org/NSS_Shared_DB +Starting with version 7.19.7 libcurl will check for the NSS version it runs, +and add automatically the 'sql:' prefix to the certdb directory (either the +hardcoded default /etc/pki/nssdb or the directory configured with SSL_DIR +environment variable) if a version 3.12.0 or later is detected. +To check which certdb format your distribution provides examine the default +certdb location /etc/pki/nssdb; the new certdb format can be identified by +the filenames cert9.db, key4.db, pkcs11.txt; filenames of older versions are +cert8.db, key3.db, modsec.db. +Usually these cert databases are empty; but NSS also has built-in CAs which are +provided through a shared library libnssckbi.so; if you want to use these +built-in CAs then create a symlink to libnssckbi.so in /etc/pki/nssdb: +ln -s /usr/lib[64]/libnssckbi.so /etc/pki/nssdb/libnssckbi.so + + -- cgit v1.2.1 From a07bc79117971b96ebf3188c0a34a73ee0a3609b Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Sun, 14 Feb 2010 19:40:18 +0000 Subject: removed trailing whitespace --- docs/SSLCERTS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/SSLCERTS') diff --git a/docs/SSLCERTS b/docs/SSLCERTS index 2ace720c2..0d1414cea 100644 --- a/docs/SSLCERTS +++ b/docs/SSLCERTS @@ -103,7 +103,7 @@ https://wiki.mozilla.org/NSS_Shared_DB Starting with version 7.19.7 libcurl will check for the NSS version it runs, and add automatically the 'sql:' prefix to the certdb directory (either the hardcoded default /etc/pki/nssdb or the directory configured with SSL_DIR -environment variable) if a version 3.12.0 or later is detected. +environment variable) if a version 3.12.0 or later is detected. To check which certdb format your distribution provides examine the default certdb location /etc/pki/nssdb; the new certdb format can be identified by the filenames cert9.db, key4.db, pkcs11.txt; filenames of older versions are -- cgit v1.2.1