Mailing Lists
|
|
cURL Mailing List Monthly Index Single Mail
curl-tracker Archives
[curl:bugs] #1178 CA Extract generated file does allow some Diginotar certificates
From: Richard Odekerken <rgj_rulez_at_users.sf.net>
Date: Sun, 30 Dec 2012 09:11:09 +0000
--- ** [bugs:#1178] CA Extract generated file does allow some Diginotar certificates** **Status:** open **Created:** Sun Dec 30, 2012 09:11 AM UTC by Richard Odekerken **Last Updated:** Sun Dec 30, 2012 09:11 AM UTC **Owner:** nobody CA Extract-generated CA Bundle does still let Diginotar SSL certificates through The documentation for CA Extract (http://curl.haxx.se/docs/caextract.html) says "These ca cert bundles do not contain the DigiNotar certificates as Mozilla marks them as untrusted and this script knows the markup for that. " However, there is a number of extra checks in Mozilla outside of the cert bundle in order to . These checks are in Mozilla source code and explicitly block certificates that have been cross-signed by Entrust and Cybertrust. See comments 9 and 52 in this ticket https://bugzilla.mozilla.org/show_bug.cgi?id=682927#c9 https://bugzilla.mozilla.org/show_bug.cgi?id=682927#c52 and also see this Mozilla source code patch https://bugzilla.mozilla.org/attachment.cgi?id=556791&action=edit The test sites in ticket 53 do not work anymore, but a good test site is the Dutch province of Drenthe at https://www.drenthe.nl/ They still use a Diginotar certificate cross-signed by Entrust (yeah). This site is blocked by all major browsers including Firefox, but if you use cURL with validation against the CA Extract-generated CA Bundle, everything is fine and dandy. My proposal is to generate and use a separate CRL file in order to avoid those hacks like Mozilla did. --- Sent from sourceforge.net because you indicated interest in <https://sourceforge.net/p/curl/bugs/1178/> To unsubscribe from further messages, please visit <https://sourceforge.net/auth/prefs/>Received on 2012-12-30 These mail archives are generated by hypermail. |
Page updated January 05, 2012.
web site info