On 12/21/2017 5:21 PM, Dave S via curl-library wrote: > <quote edited=true> > The certificates for TBD Portal (tbd.tbdservice.com > <http://tbd.tbdservice.com>) and MainTBD Portal (*.tbdservice.com > <http://tbdservice.com>) will be updated Jan 17, 2018 due to Google’s > plan to distrust certificates issued prior to 6/1/2016 under the > Symantec infrastructure. Please install the new certificate on your > systems before the renewal date and test your integrations in TBD > before Feb 14, 2018. > </quote> > > I don't see anything I have to do on my development systems -- the > browser should handle the certificate update for me, right? But on > many of the systems where my code is deployed, there is no reason to > expect the users to view web pages from that server, so the browser > won't have a need to update those certs. I currently don't do > anything explicit about certs, letting libcurl find the system > defaults. Do I need to take action, and if so ... what? Or will it > all get worked out for me behind the curtain?
There's not enough information to tell. Basically if the SSL library libcurl is using doesn't have the CA that TBD is going to use for the new certificate then libcurl wouldn't be able to successfully connect to the server. Contact the company and ask them what CA they are going to use to sign the certificate. Next focus on what CA bundle/database/directory location libcurl is using. Sometimes you can see that by enabling verbose mode. If your program specified a database using CAINFO or CAPATH then check there. Otherwise check the default location set at build-time. It may or may not be using a location that is updated by your operating system, that is up to you to determine. If the CA is missing in an OS-maintained location you will need to find out if the OS plans to add it. If not then you're on your own to do that. Please let us know what happens for the benefit of anyone who may find themselves in a similar situation. Also: This makes me think of a more likely break scenario where some servers just aren't going to change their certificate, and Mozilla and Google (and MS and Apple?) remove the Symantec CA certs from their bundle and that trickles down, and libcurl is using one of those OS-updated bundles.
------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
