http://curl.haxx.se/docs/caextract.html has now been updated with info from this report.

---
** [bugs:#1178] CA Extract generated file does allow some Diginotar certificates**
**Status:** open
**Labels:** SSL 
**Created:** Sun Dec 30, 2012 09:11 AM UTC by Richard Odekerken
**Last Updated:** Thu Jan 03, 2013 10:26 PM UTC
**Owner:** Daniel Stenberg
CA Extract-generated CA Bundle does still let Diginotar SSL certificates through
The documentation for CA Extract (http://curl.haxx.se/docs/caextract.html) says "These ca cert bundles do not contain the DigiNotar certificates as Mozilla marks them as untrusted and this script knows the markup for that. "
However, there is a number of extra checks in Mozilla outside of the cert bundle in order to . These checks are in Mozilla source code and explicitly block certificates that have been cross-signed by Entrust and Cybertrust.
See comments 9 and 52 in this ticket 
https://bugzilla.mozilla.org/show_bug.cgi?id=682927#c9
https://bugzilla.mozilla.org/show_bug.cgi?id=682927#c52 
and also see this Mozilla source code patch https://bugzilla.mozilla.org/attachment.cgi?id=556791&action=edit
The test sites in ticket 53 do not work anymore, but a good test site is the Dutch province of Drenthe at https://www.drenthe.nl/ They still use a Diginotar certificate cross-signed by Entrust (yeah). This site is blocked by all major browsers including Firefox, but if you use cURL with validation against the CA Extract-generated CA Bundle, everything is fine and dandy.
My proposal is to generate and use a separate CRL file in order to avoid those hacks like Mozilla did.
---
Sent from sourceforge.net because you indicated interest in <https://sourceforge.net/p/curl/bugs/1178/>
To unsubscribe from further messages, please visit <https://sourceforge.net/auth/prefs/>