cURL / Mailing Lists / curl-users / Single Mail


Re: ca-cert bundle missing Verisign cert, breaking SSL to Amazon

From: Lamont Granquist <>
Date: Mon, 27 Oct 2014 16:14:14 -0700

On Mon Oct 27 15:46:44 2014, Daniel Stenberg wrote:
> On Mon, 27 Oct 2014, Lamont Granquist wrote:
>> I'd say that you've gotten too far ahead in anticipating dropping the
>> 1024-bit RSA certs since breaking AWS is a total show stopper for a
>> lot of people
> We in the curl project didn't anticipate anything of this. We get the
> data from the Mozilla project and they changed the properties. We've
> run the same script daily since a long time. One day the output
> changed to this.
> Then, surely it isn't truly a show-stopper to anyone! You can easily
> just either revert to the previous file until we have this sorted out
> or you can run the script yourself locally and do whatever you want.
> Especially now since Leif W pointed out how to get those certs back in
> the output!

Technically, yes, we already reverted to old cached copies of the
cacerts in s3 (which was multiple pull requests across multiple repos
to bump lockfiles to pick up the change in the one repo that actually
had the update), but then we've got users who don't use our s3 caching
binaries, who are going to wind up pulling down the latest cacert.pem
blob and will then fail its shasum check against the previous version
which fail the tamper check and either require us to explain how to
pull from the s3 cache instead or else start hacking up exceptions for
this one package to get the messaging correct.... So yeah, technically
all fixable on our end, but it'd be easier if it just keeps working the
way it did...

Good to know it was just some confusion, though, and it'll get sorted
out eventually...

List admin:
Received on 2014-10-28