History log of /curl/tests/certs/Server-localhost-lastSAN-sv.key (Results 1 – 5 of 5)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# ef07452a 23-Dec-2022 Paul Howarth

tests: avoid use of sha1 in certificates

The SHA-1 algorithm is deprecated (particularly for security-sensitive
applications) in a variety of OS environments. This already affects
RH

tests: avoid use of sha1 in certificates

The SHA-1 algorithm is deprecated (particularly for security-sensitive
applications) in a variety of OS environments. This already affects
RHEL-9 and derivatives, which are not willing to use certificates using
that algorithm. The fix is to use sha256 instead, which is already used
for most of the other certificates in the test suite.

Fixes #10135

This gets rid of issues related to sha1 signatures.

Manual steps after "make clean-certs" and "make build-certs":

- Copy tests/certs/stunnel-sv.pem to tests/stunnel.pem
(make clean-certs does not remove the original tests/stunnel.pem)

- Copy tests/certs/Server-localhost-sv.pubkey-pinned into --pinnedpubkey
options of tests/data/test2041 and tests/data/test2087

Closes #10153

show more ...


# f7029718 25-Nov-2022 Stefan Eissing

tests: add authorityInfoAccess to generated certs

Generate stunnel.pem as well

Closes #9980


Revision tags: curl-7_76_1, curl-7_76_0, curl-7_75_0, curl-7_74_0, curl-7_73_0, tiny-curl-7_72_0, curl-7_72_0, curl-7_71_1, curl-7_71_0, curl-7_70_0, curl-7_69_1, curl-7_69_0, curl-7_68_0, curl-7_67_0
# 2839cfdc 02-Nov-2019 Marcel Raad

certs/Server-localhost-lastSAN-sv: regenerate with sha256

All other certificates were regenerated in commit ba782baac30, but
this one was missed.
Fixes test3001 on modern systems.

certs/Server-localhost-lastSAN-sv: regenerate with sha256

All other certificates were regenerated in commit ba782baac30, but
this one was missed.
Fixes test3001 on modern systems.

Closes https://github.com/curl/curl/pull/4551

show more ...


Revision tags: curl-7_66_0, curl-7_65_3, curl-7_65_2, curl-7_65_1, curl-7_65_0, curl-7_64_1, curl-7_64_0, curl-7_63_0, curl-7_62_0
# 92f9db17 10-Sep-2018 Yiming Jing

tests/certs: rebuild certs with 2048-bit RSA keys

The previous test certificates contained RSA keys of only 1024 bits.
However, RSA claims that 1024-bit RSA keys are likely to become

tests/certs: rebuild certs with 2048-bit RSA keys

The previous test certificates contained RSA keys of only 1024 bits.
However, RSA claims that 1024-bit RSA keys are likely to become
crackable some time before 2010. The NIST recommends at least 2048-bit
keys for RSA for now.

Better use full 2048 also for testing.

Closes #2973

show more ...


Revision tags: curl-7_61_1, curl-7_61_0, curl-7_60_0, curl-7_59_0, curl-7_58_0, curl-7_57_0, curl-7_56_1, curl-7_56_0, curl-7_55_1, curl-7_55_0, curl-7_54_1, curl-7_54_0
# 89963002 10-Mar-2017 Dan McNulty

schannel: add support for CURLOPT_CAINFO

- Move verify_certificate functionality in schannel.c into a new
file called schannel_verify.c. Additionally, some structure defintions
f

schannel: add support for CURLOPT_CAINFO

- Move verify_certificate functionality in schannel.c into a new
file called schannel_verify.c. Additionally, some structure defintions
from schannel.c have been moved to schannel.h to allow them to be
used in schannel_verify.c.

- Make verify_certificate functionality for Schannel available on
all versions of Windows instead of just Windows CE. verify_certificate
will be invoked on Windows CE or when the user specifies
CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER.

- In verify_certificate, create a custom certificate chain engine that
exclusively trusts the certificate store backed by the CURLOPT_CAINFO
file.

- doc updates of --cacert/CAINFO support for schannel

- Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString
when available. This implements a TODO in schannel.c to improve
handling of multiple SANs in a certificate. In particular, all SANs
will now be searched instead of just the first name.

- Update tool_operate.c to not search for the curl-ca-bundle.crt file
when using Schannel to maintain backward compatibility. Previously,
any curl-ca-bundle.crt file found in that search would have been
ignored by Schannel. But, with CAINFO support, the file found by
that search would have been used as the certificate store and
could cause issues for any users that have curl-ca-bundle.crt in
the search path.

- Update url.c to not set the build time CURL_CA_BUNDLE if the selected
SSL backend is Schannel. We allow setting CA location for schannel
only when explicitly specified by the user via CURLOPT_CAINFO /
--cacert.

- Add new test cases 3000 and 3001. These test cases check that the first
and last SAN, respectively, matches the connection hostname. New test
certificates have been added for these cases. For 3000, the certificate
prefix is Server-localhost-firstSAN and for 3001, the certificate
prefix is Server-localhost-secondSAN.

- Remove TODO 15.2 (Add support for custom server certificate
validation), this commit addresses it.

Closes https://github.com/curl/curl/pull/1325

show more ...