cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: /etc/ssl/certs/ instead of curl-ca-bundle.crt by default

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 7 Feb 2008 22:35:37 +0100 (CET)

On Thu, 7 Feb 2008, Guenter Knauf wrote:

>> http://curl.haxx.se/docs/caextract.html).

> it seems to me that the parse-cert script is now some outdated, and needs
> some additinal regex to split off the crap which is now in certdate.txt;
> this file seems no longer a plain txt, but is now a html....

Right, it needs a different URL. The current crontab job uses this curl line:

curl -s
"http://lxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1"
-o certdata.txt

> furthermore I didnt like the shell, ruby and sed dependence since that makes
> it only usable on Unices; therefore I've just hacked a Perl script based on
> parse-cert, and this new script does now also download certdata.txt before
> processing; I've successfully tested it on Win32 and Linux:

> http://svwe10.itex.at/mirror/curl/ca-bundle/

Cool!

> Daniel, if you like this script feel free to put it into the curl distro;

I think that's a really good idea.

I guess we should then put it in the lib/ dir and make a makefile target that
runs it on demand.

> I think it might be useful since this works now on almost any platform, and
> only requires Perl. Perhaps it makes also sense to remove the outdated
> ca-bundle.crt from CVS, and generate allways a fresh one with releases from
> the release script?

Well, the Firefox CA certs don't get updated that often so if we truly wanted
their ca certs in our releases we could just import them. To me, the main
problem that prevents me from doing any of these actions is the claimed
license on the ca cert bundle.

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html
Received on 2008-02-07