cURL
Haxx ad
libcurl

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1178 CA Extract generated file does allow some Diginotar certificates

From: Richard Odekerken <rgj_rulez_at_users.sf.net>
Date: Sun, 30 Dec 2012 09:11:09 +0000

---
** [bugs:#1178] CA Extract generated file does allow some Diginotar certificates**
**Status:** open
**Created:** Sun Dec 30, 2012 09:11 AM UTC by Richard Odekerken
**Last Updated:** Sun Dec 30, 2012 09:11 AM UTC
**Owner:** nobody
CA Extract-generated CA Bundle does still let Diginotar SSL certificates through
The documentation for CA Extract (http://curl.haxx.se/docs/caextract.html) says "These ca cert bundles do not contain the DigiNotar certificates as Mozilla marks them as untrusted and this script knows the markup for that. "
However, there is a number of extra checks in Mozilla outside of the cert bundle in order to . These checks are in Mozilla source code and explicitly block certificates that have been cross-signed by Entrust and Cybertrust.
See comments 9 and 52 in this ticket 
https://bugzilla.mozilla.org/show_bug.cgi?id=682927#c9
https://bugzilla.mozilla.org/show_bug.cgi?id=682927#c52 
and also see this Mozilla source code patch https://bugzilla.mozilla.org/attachment.cgi?id=556791&action=edit
The test sites in ticket 53 do not work anymore, but a good test site is the Dutch province of Drenthe at https://www.drenthe.nl/ They still use a Diginotar certificate cross-signed by Entrust (yeah). This site is blocked by all major browsers including Firefox, but if you use cURL with validation against the CA Extract-generated CA Bundle, everything is fine and dandy.
My proposal is to generate and use a separate CRL file in order to avoid those hacks like Mozilla did.
---
Sent from sourceforge.net because you indicated interest in <https://sourceforge.net/p/curl/bugs/1178/>
To unsubscribe from further messages, please visit <https://sourceforge.net/auth/prefs/>
Received on 2012-12-30

These mail archives are generated by hypermail.

donate! Page updated January 05, 2012.
web site info

File upload with ASP.NET