cURL / Mailing Lists / curl-library / Single Mail


bug in 'mk-ca-bundle' script

From: <>
Date: Tue, 04 Sep 2012 10:20:34 -0400


While adapting 'mk-ca-bundle' to generate
separate PEM files for 'sendmail' I came
across a bug in the state-machine logic
that reads 'certdata.txt'.

The result is that the certificate

   Hellenic Academic and Research Institutions RootCA 2011

in the Firefox 15 version of 'certdata.txt'
was skipped. Didn't look at it too hard,
but it seems to me that worse outcomes
could result from the flaw.

I've attached my revised script, which
breaks PEM files out separately.
'openssl' presents all 156 CA cert
subjects in the TLS negotiation when a
'ca-bundle.pem' approach is taken. This
adds 25k to the TLS handshake--expensive.
With separate files hash-linked
by 'c_rehash', only the one or two
parent certificates included in
cacert.pem are presented during
TLS startup. Openssl version 1.0.1
was used.

It should be fairly easy to back the
loop-logic changes or something similar
into the original.


List admin:

Received on 2012-09-04