Haxx ad

curl's project page on


cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1178 CA Extract generated file does allow some Diginotar certificates

From: Richard Odekerken <>
Date: Sun, 30 Dec 2012 09:11:09 +0000

** [bugs:#1178] CA Extract generated file does allow some Diginotar certificates**
**Status:** open
**Created:** Sun Dec 30, 2012 09:11 AM UTC by Richard Odekerken
**Last Updated:** Sun Dec 30, 2012 09:11 AM UTC
**Owner:** nobody
CA Extract-generated CA Bundle does still let Diginotar SSL certificates through
The documentation for CA Extract ( says "These ca cert bundles do not contain the DigiNotar certificates as Mozilla marks them as untrusted and this script knows the markup for that. "
However, there is a number of extra checks in Mozilla outside of the cert bundle in order to . These checks are in Mozilla source code and explicitly block certificates that have been cross-signed by Entrust and Cybertrust.
See comments 9 and 52 in this ticket 
and also see this Mozilla source code patch
The test sites in ticket 53 do not work anymore, but a good test site is the Dutch province of Drenthe at They still use a Diginotar certificate cross-signed by Entrust (yeah). This site is blocked by all major browsers including Firefox, but if you use cURL with validation against the CA Extract-generated CA Bundle, everything is fine and dandy.
My proposal is to generate and use a separate CRL file in order to avoid those hacks like Mozilla did.
Sent from because you indicated interest in <>
To unsubscribe from further messages, please visit <>
Received on 2012-12-30

These mail archives are generated by hypermail.

donate! Page updated January 05, 2012.
web site info

File upload with ASP.NET