Mailing Lists
|  | 
 |  | 
| 
 | cURL  Mailing List  Monthly Index  Single Mail curl-tracker Archives
 [curl:bugs] #1178 CA Extract generated file does allow some Diginotar certificates
From: Daniel Stenberg <bagder_at_users.sf.net>
 Date: Thu, 03 Jan 2013 22:26:24 +0000 
Thanks a lot Richard, eagerly waiting to see what comes out of that!
 --- ** [bugs:#1178] CA Extract generated file does allow some Diginotar certificates** **Status:** open **Labels:** SSL **Created:** Sun Dec 30, 2012 09:11 AM UTC by Richard Odekerken **Last Updated:** Thu Jan 03, 2013 07:04 AM UTC **Owner:** Daniel Stenberg CA Extract-generated CA Bundle does still let Diginotar SSL certificates through The documentation for CA Extract (http://curl.haxx.se/docs/caextract.html) says "These ca cert bundles do not contain the DigiNotar certificates as Mozilla marks them as untrusted and this script knows the markup for that. " However, there is a number of extra checks in Mozilla outside of the cert bundle in order to . These checks are in Mozilla source code and explicitly block certificates that have been cross-signed by Entrust and Cybertrust. See comments 9 and 52 in this ticket https://bugzilla.mozilla.org/show_bug.cgi?id=682927#c9 https://bugzilla.mozilla.org/show_bug.cgi?id=682927#c52 and also see this Mozilla source code patch https://bugzilla.mozilla.org/attachment.cgi?id=556791&action=edit The test sites in ticket 53 do not work anymore, but a good test site is the Dutch province of Drenthe at https://www.drenthe.nl/ They still use a Diginotar certificate cross-signed by Entrust (yeah). This site is blocked by all major browsers including Firefox, but if you use cURL with validation against the CA Extract-generated CA Bundle, everything is fine and dandy. My proposal is to generate and use a separate CRL file in order to avoid those hacks like Mozilla did. --- Sent from sourceforge.net because you indicated interest in <https://sourceforge.net/p/curl/bugs/1178/> To unsubscribe from further messages, please visit <https://sourceforge.net/auth/prefs/>Received on 2013-01-03 These mail archives are generated by hypermail. | 
 Page updated January 05, 2012.
Page updated January 05, 2012.
web site info