cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: ca-cert bundle missing Verisign cert, breaking SSL to Amazon

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Mon, 27 Oct 2014 22:56:41 +0100 (CET)

On Mon, 27 Oct 2014, Lamont Granquist wrote:

> The latest http://curl.haxx.se/ca/cacert.pem drops these cert:

...

> If those are being dropped after being scraped, then someone should probably
> be made aware that its a cert at the base of Amazon's SSL certs and removing
> that cert from the ca-bundle breaks https://s3.amazonaws.com and
> https://amazon.com

I'm pretty sure they are dropped on purpose because of the recently introduced
RSA-1024 bit requirement as mentioned here:
http://curl.haxx.se/docs/caextract.html, at least they vanished with that
specific mozilla bump.

That's also a reason why we point to the last cacert.pem from before that
change on that same web page.

Of course, it could also be a bug in the mk-ca-bundle script.

See https://kuix.de/blog/index.php?entry=Cleanup-of-1024-bit-CA-certificates

At the bottom it lists these certs as "weak" and I suspect it is that
attribute that makes our script exclude them.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-27