curl-users
Re: ca-cert bundle missing Verisign cert, breaking SSL to Amazon
Date: Mon, 27 Oct 2014 22:56:41 +0100 (CET)
On Mon, 27 Oct 2014, Lamont Granquist wrote:
> The latest http://curl.haxx.se/ca/cacert.pem drops these cert:
...
> If those are being dropped after being scraped, then someone should probably
> be made aware that its a cert at the base of Amazon's SSL certs and removing
> that cert from the ca-bundle breaks https://s3.amazonaws.com and
> https://amazon.com
I'm pretty sure they are dropped on purpose because of the recently introduced
RSA-1024 bit requirement as mentioned here:
http://curl.haxx.se/docs/caextract.html, at least they vanished with that
specific mozilla bump.
That's also a reason why we point to the last cacert.pem from before that
change on that same web page.
Of course, it could also be a bug in the mk-ca-bundle script.
See https://kuix.de/blog/index.php?entry=Cleanup-of-1024-bit-CA-certificates
At the bottom it lists these certs as "weak" and I suspect it is that
attribute that makes our script exclude them.
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-users FAQ: http://curl.haxx.se/docs/faq.html Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2014-10-27