bug in 'mk-ca-bundle' script
Date: Tue, 04 Sep 2012 10:20:34 -0400
While adapting 'mk-ca-bundle' to generate
separate PEM files for 'sendmail' I came
across a bug in the state-machine logic
that reads 'certdata.txt'.
The result is that the certificate
Hellenic Academic and Research Institutions RootCA 2011
in the Firefox 15 version of 'certdata.txt'
was skipped. Didn't look at it too hard,
but it seems to me that worse outcomes
could result from the flaw.
I've attached my revised script, which
breaks PEM files out separately.
'openssl' presents all 156 CA cert
subjects in the TLS negotiation when a
'ca-bundle.pem' approach is taken. This
adds 25k to the TLS handshake--expensive.
With separate files hash-linked
by 'c_rehash', only the one or two
parent certificates included in
cacert.pem are presented during
TLS startup. Openssl version 1.0.1
It should be fairly easy to back the
loop-logic changes or something similar
into the original.
- application/octet-stream attachment: mk-ca-bundle