cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Which version of certdata.txt is preferred for mk-ca-bundle, and why?

From: Leif W <warp9pnt9_at_gmail.com>
Date: Sun, 29 Dec 2013 00:14:52 -0500

On 2013-12-28 17:27, Daniel Stenberg wrote:
> On Wed, 18 Dec 2013, Leif W wrote:
>
> Okay, back to this topic again. Sorry for my absense.

No problems, hope you enjoyed holidays and family time, etc. :)

>>> and possibly we should also make it output some general warnings in
>>> the spirit you
>>
>> "Warning: Use of this script will make a security engineer grind his
>> teeth and swear at you." ;)
>>
>> Maybe always print out:
>>
>> "Use of this script may pose some risk, -d risk for more details."
>> And then describe more there?
>
> Right, that's exactly what I meant!

Ok, I will work on this. I notice there is a sub HELP_MESSAGE and a sub
VERSION_MESSAGE (which is never used, but I would fold the stuff within
a preceding if ($opt_i) into that sub, and instead call VERSION_MESSAGE
if ($opt_i), but will fix that afterwards, as it's not directly related
to the URL issue.

So I'll just create a sub WARNING_MESSAGE, and print that before (or
after?) the HELP_MESSAGE using WARNING_MESSAGE unless ($opt_q || $url is
secure https or ftps), always print the warning, unless the -q is given
to be totally quiet. WARNING_MESSAGE will always print the short form,
unless -d risk was used, in which case it will print a long form.

Cosmetic: Not sure if warning should come before or after the help
message. Coming after may look better, but the help message exits. Need
to call WARNING_MESSAGE twice, and maybe move the exit out of the
HELP_MESSAGE and check $opt_h twice, once to call HELP_MESSAGE(), then
WARNING_MESSAGE(), then check $opt_h again to exit.

Short form warning:

Warning: Use of this script may pose some risk, -d risk for more details.

Long form warning:

Warning: Use of this script may pose some risk:

   1) Using http is subject to man in the middle attack of certdata content
   2) Default to 'release', but more recent updates may be found in
other trees
   3) certdata.txt file format may change, lag time to update this script
   4) Generally unwise to blindly trust CAs without manual review &
verification
   5) Mozilla apps use additional security checks aren't represented in
certdata
   6) Use of this script will make a security engineer grind his teeth and
      swear at you. ;)

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html

text/plain attachment: mk-ca-bundle.specify-certdata-url.2.diff

Received on 2013-12-29

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: getpeername() error using tftp with curl-7.28.1"
Previous message: Daniel Stenberg: "Re: Which version of certdata.txt is preferred for mk-ca-bundle, and why?"
In reply to: Daniel Stenberg: "Re: Which version of certdata.txt is preferred for mk-ca-bundle, and why?"
Next in thread: James A: "Re: Which version of certdata.txt is preferred for mk-ca-bundle, and why?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]