I would like to make you aware that the certificate validation of openssl isn't as complete as in NSS. For example, NSS is able to handle the blacklisted/distrusted CAs, which have been published by Mozilla, and are being made available as part of the ca- certificates package, while I believe openssl isn't. In addition, a few CA distrust mechanisms have been implemented at the NSS code level, and no equivalent mechanisms are currently being implemented at the openssl level [1]. As a consequence of the switch to openssl, software that currently uses libcurl would lose these additional trust checks when doing certificate validation for SSL/TLS connections. Kai [1] https://wiki.mozilla.org/CA:Root_Store_Trust_Mods _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
