cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] mk-ca-bundle.pl: 64 char wrapped PEMs

From: Guenter <lists_at_gknw.net>
Date: Thu, 04 Apr 2013 00:18:18 +0200

Hi Richard,
On 03.04.2013 23:51, Richard Michael wrote:
> 0/ I am primarily concerned with the format of the CA bundle file, not
> with the possibility of parsing the file with an encoder/decoder. I
> have not investigated coders other than OpenSSL, but I believe you
> [that they will handle 76 character wrapped PEMs].
ok, thinking twice about it you got me half convinced, and I just
applied a modified patch: I added an option so that you can now set the
wrap - but it still defaults to 76; I hope that makes all users then
happy: those who compare a certdata generated with an older version of
the script against a new one; and those who like any other wrapping
(like you).

> 1/ (I assume you mean "-t"?) I did not notice, because -h does not
> mention OpenSSL generated output. But --
>
> First, this grows the output file size by quite a bit. That said, I
> would do this for myself locally, the verbose ca-bundle content is
> helpful. Thank you for mentioning it.
>
> Second, the option "-t" is broken. The output file (">> $crt") used
> in the TMP pipe is clobbered when the temp output file
> ("ca-bundle.crt.~") is renamed (to "$crt") at the end of the script.
> :-)
oh! Something to fix then .... :-P
you have another patch ready?

> Third, I wanted to change the default output of mk-ca-bundle.
and this is something I dont want; the script lives in the source for a
while now, and others may then scream that we changed it ...

> Do you mean that the 64 character wrapped MIME::Base64 output will not
> be identical to the OpenSSL PEM Base64? In the certificates I examine
> after my patch, the outputs were identical. Could you explain further
> please?
ok, when you look at one single cert then the output is same I think ...

>> a holy wish ...
>
> Not so holy! Such a user is me. :-) I was confused by 76 vs. 64
> character PEMs when I was learning SSL subject matter many years ago.
> So again, I think it would be helpful to be consistent [with openssl
> and the PEM RFC] with the format of the bundle file.
ok, 3/4 convinced ....

> It's an XS C file; beyond what I am willing to take on for this issue.
sure, but posting a ticket with an enhancement request would be fine ...
(/me too lazy ...)

please check the current version if that works for ya;
colored change view:
https://github.com/bagder/curl/commit/8efd74de4604ba1114fa191b393f46c7395c8858
raw:
https://raw.github.com/bagder/curl/8efd74de4604ba1114fa191b393f46c7395c8858/lib/mk-ca-bundle.pl

Gün.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-04-04