curl-library
Re: bug in 'mk-ca-bundle' script
Date: Tue, 4 Sep 2012 16:33:07 +0200 (CEST)
On Tue, 4 Sep 2012, starlight.2012q3_at_binnacle.cx wrote:
> While adapting 'mk-ca-bundle' to generate separate PEM files for 'sendmail'
> I came across a bug in the state-machine logic that reads 'certdata.txt'.
Thanks for your contribution! But...
You seem to have based your version on a rather old version of the
mk-ca-bundle script. Look at the most recent one here and see if you can spot
a problem with it:
https://github.com/bagder/curl/blob/master/lib/mk-ca-bundle.pl
> I've attached my revised script, which breaks PEM files out separately.
> 'openssl' presents all 156 CA cert subjects in the TLS negotiation when a
> 'ca-bundle.pem' approach is taken. This adds 25k to the TLS
> handshake--expensive. With separate files hash-linked by 'c_rehash', only
> the one or two parent certificates included in cacert.pem are presented
> during TLS startup. Openssl version 1.0.1 was used.
The c_rehash approach is however very OpenSSL-specific and it isn't supported
by other libs. That's the primary reason I think the script's default action
should be to generate the single PEM output.
Of course we could have it feature an option to do the many-files approach.
> It should be fairly easy to back the loop-logic changes or something similar
> into the original.
I disagree, and if you diff against the most recent version you'll see what I
mean...
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2012-09-04