On Wed, Apr 26, 2023 at 07:34:10PM +0000, Michael Wojcik via openssl-users wrote:
> > My question: if curl is working fine, can'I conclude my Apache configuration and my certificates are fine ?
>
> If you didn't build curl yourself, there's no easy way to know what
> options were used when compiling it; but I believe by default it does
> not attempt to validate the peer's certificate chain. You have to use
> options such as --cacert or --capath to do basic validation, --crlfile
> to check against a CRL, --cert-status to check OCSP stapling if the
> peer provides it, and so on.
This is not accurate. Curl will do WebPKI certificate verification by
default, and fail hard when the certificate does not match. To get
unvalidated "https" connections, the "-k" option is required to opt out
of validation.
--
Viktor.
