cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: ca-cert bundle missing Verisign cert, breaking SSL to Amazon

From: Leif W <warp9pnt9_at_gmail.com>
Date: Mon, 27 Oct 2014 18:03:10 -0400

On 2014-10-27 15:34, Lamont Granquist wrote:
> The latest http://curl.haxx.se/ca/cacert.pem drops these cert:

I think this has to do with changes made to the mk-ca-bundle.pl script
(added -p) which affects what gets put into the cacert.pem by default.

https://github.com/bagder/curl/commit/94898303d2b51198e90aa8e09545ed5e5b6b871c

> If those are being dropped after being scraped, then someone should
> probably be made aware that its a cert at the base of Amazon's SSL
> certs and removing that cert from the ca-bundle breaks
> https://s3.amazonaws.com and https://amazon.com

I don't pretend to know much about the implications of doing this, but I
played with the -p options a bit.

Verified mk-ca-bundle.pl is by default pulling the same certdata.txt
file mentioned, and that this file has the needed certs:

http://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt

The default -p option is as if SERVER_AUTH:TRUSTED_DELEGATOR was
specified, and the Amazon certs mentioned are excluded from the cacert.pem.

I got ALL:ALL to include the certs, as well as
SERVER_AUTH:MUST_VERIFY_TRUST and SERVER_AUTH:TRUSTED,MUST_VERIFY_TRUST.

However, SERVER_AUTH:TRUSTED_DELEGATOR and optionally MUST_VERIFY_TRUST
or TRUSTED or BOTH exclude the Amazon cert.

A better explanation of the trust purpose(s) and level(s) may be more
helpful, and setting defaults that are well justified if they break any
compatibility, or updating the script invocation that (automatically?)
generates the cacert.pem on site.

Leif

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-27