cURL
Haxx ad
libcurl

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1178 CA Extract generated file does allow some Diginotar certificates

From: Richard Odekerken <rgj_rulez_at_users.sf.net>
Date: Thu, 03 Jan 2013 07:04:19 +0000

No, it's not a bug in the script. It's a bug in the accompanying documentation, which currently implies that everything Diginotar-related will be perfectly fine, while that's not the case.

Because this made me aware of the 'bigger problem' with people hardcoding stuff into their HTTP clients like Mozilla did it goes along with a suggestion for additional functionality: to add a script or logic to generate a file to be fed into CURLOPT_CRLFILE, and maybe to include a standard CRL PEM file in the distro.

---
** [bugs:#1178] CA Extract generated file does allow some Diginotar certificates**
**Status:** open
**Labels:** SSL 
**Created:** Sun Dec 30, 2012 09:11 AM UTC by Richard Odekerken
**Last Updated:** Wed Jan 02, 2013 11:19 PM UTC
**Owner:** Daniel Stenberg
CA Extract-generated CA Bundle does still let Diginotar SSL certificates through
The documentation for CA Extract (http://curl.haxx.se/docs/caextract.html) says "These ca cert bundles do not contain the DigiNotar certificates as Mozilla marks them as untrusted and this script knows the markup for that. "
However, there is a number of extra checks in Mozilla outside of the cert bundle in order to . These checks are in Mozilla source code and explicitly block certificates that have been cross-signed by Entrust and Cybertrust.
See comments 9 and 52 in this ticket 
https://bugzilla.mozilla.org/show_bug.cgi?id=682927#c9
https://bugzilla.mozilla.org/show_bug.cgi?id=682927#c52 
and also see this Mozilla source code patch https://bugzilla.mozilla.org/attachment.cgi?id=556791&action=edit
The test sites in ticket 53 do not work anymore, but a good test site is the Dutch province of Drenthe at https://www.drenthe.nl/ They still use a Diginotar certificate cross-signed by Entrust (yeah). This site is blocked by all major browsers including Firefox, but if you use cURL with validation against the CA Extract-generated CA Bundle, everything is fine and dandy.
My proposal is to generate and use a separate CRL file in order to avoid those hacks like Mozilla did.
---
Sent from sourceforge.net because you indicated interest in <https://sourceforge.net/p/curl/bugs/1178/>
To unsubscribe from further messages, please visit <https://sourceforge.net/auth/prefs/>
Received on 2013-01-03

These mail archives are generated by hypermail.

donate! Page updated January 05, 2012.
web site info

File upload with ASP.NET