cURL
Haxx ad
libcurl

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1178 CA Extract generated file does allow some Diginotar certificates

From: Daniel Stenberg <bagder_at_users.sf.net>
Date: Wed, 02 Jan 2013 23:19:18 +0000

Thanks for your report!

Your suggestion is fine and I would certainly enjoy seeing a patch or other improvement that would bring this functionality!

But is that *really* a bug in this script? If the script converts the certs that are listed as trusted in that remote document, and it doesn't include any that are explicitly listed as not trusted, then the script does what it is supposed to do. Right?

---
** [bugs:#1178] CA Extract generated file does allow some Diginotar certificates**
**Status:** open
**Labels:** SSL 
**Created:** Sun Dec 30, 2012 09:11 AM UTC by Richard Odekerken
**Last Updated:** Sun Dec 30, 2012 09:11 AM UTC
**Owner:** Daniel Stenberg
CA Extract-generated CA Bundle does still let Diginotar SSL certificates through
The documentation for CA Extract (http://curl.haxx.se/docs/caextract.html) says "These ca cert bundles do not contain the DigiNotar certificates as Mozilla marks them as untrusted and this script knows the markup for that. "
However, there is a number of extra checks in Mozilla outside of the cert bundle in order to . These checks are in Mozilla source code and explicitly block certificates that have been cross-signed by Entrust and Cybertrust.
See comments 9 and 52 in this ticket 
https://bugzilla.mozilla.org/show_bug.cgi?id=682927#c9
https://bugzilla.mozilla.org/show_bug.cgi?id=682927#c52 
and also see this Mozilla source code patch https://bugzilla.mozilla.org/attachment.cgi?id=556791&action=edit
The test sites in ticket 53 do not work anymore, but a good test site is the Dutch province of Drenthe at https://www.drenthe.nl/ They still use a Diginotar certificate cross-signed by Entrust (yeah). This site is blocked by all major browsers including Firefox, but if you use cURL with validation against the CA Extract-generated CA Bundle, everything is fine and dandy.
My proposal is to generate and use a separate CRL file in order to avoid those hacks like Mozilla did.
---
Sent from sourceforge.net because you indicated interest in <https://sourceforge.net/p/curl/bugs/1178/>
To unsubscribe from further messages, please visit <https://sourceforge.net/auth/prefs/>
Received on 2013-01-03

These mail archives are generated by hypermail.

donate! Page updated January 05, 2012.
web site info

File upload with ASP.NET