Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: cacert.pem includes two malformed Trustwave certificates
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Jeffrey Walton via curl-users <curl-users_at_lists.haxx.se>
Date: Tue, 21 Jun 2022 14:52:16 -0400
On Tue, Jun 21, 2022 at 10:38 AM Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Tue, 21 Jun 2022, Jeffrey Walton via curl-users wrote:
>
> Curious!
>
> > It appears cacert.pem includes two malformed Trustwave certificates.
>
> Just to make sure, are you talking about the current cacert.pem on
> https://curl.se/docs/caextract.html, downloadable from
> https://curl.se/ca/cacert.pem ?
>
> > It appears the Trustwave certs are using two octets for keyUsage
> > instead of one.
>
> The PEM file we provide is just a converted version of the original source
> file hosted by Mozilla at
> https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
>
> Can you spot if the error is present in their source file?
>
> If it is, the error is somewhere on Mozilla's side.
>
> If it isn't, the error is somewhere in
> https://github.com/curl/curl/blob/master/scripts/mk-ca-bundle.pl
It looks like the problem is with the Trustwave certs. Also see
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/EKAIB01lvlo/m/-WYPISl-AwAJ
on Mozilla's dev-security-policy mailing list.
Jeff
Date: Tue, 21 Jun 2022 14:52:16 -0400
On Tue, Jun 21, 2022 at 10:38 AM Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Tue, 21 Jun 2022, Jeffrey Walton via curl-users wrote:
>
> Curious!
>
> > It appears cacert.pem includes two malformed Trustwave certificates.
>
> Just to make sure, are you talking about the current cacert.pem on
> https://curl.se/docs/caextract.html, downloadable from
> https://curl.se/ca/cacert.pem ?
>
> > It appears the Trustwave certs are using two octets for keyUsage
> > instead of one.
>
> The PEM file we provide is just a converted version of the original source
> file hosted by Mozilla at
> https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
>
> Can you spot if the error is present in their source file?
>
> If it is, the error is somewhere on Mozilla's side.
>
> If it isn't, the error is somewhere in
> https://github.com/curl/curl/blob/master/scripts/mk-ca-bundle.pl
It looks like the problem is with the Trustwave certs. Also see
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/EKAIB01lvlo/m/-WYPISl-AwAJ
on Mozilla's dev-security-policy mailing list.
Jeff
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-06-21