generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Skip more untrusted certificates.

Browse Source 
Christian Heimes brought to our attention that the certdata.txt
format has recently changed [1], causing ca-bundle.crt created
with mk-ca-bundle.[pl|vbs] to include untrusted certs.

[1] http://lists.debian.org/debian-release/2012/11/msg00411.html
This commit is contained in:
Guenter Knauf
2013-08-04 21:30:11 +02:00
parent 6b27703b5f
commit 51f0b798fa
2 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
lib/mk-ca-bundle.pl
View File

@@ -40,7 +40,7 @@ my $url = 'http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/
# If the OpenSSL commandline is not in search path you can configure it here!
my $openssl = 'openssl';
my $version = '1.18';
my $version = '1.19';
$opt_w = 76; # default base64 encoded lines length
@@ -185,8 +185,9 @@ while (<TXT>) {
while (<TXT>) {
last if (/^#/);
if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/
or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/) {
$untrusted = 1;
or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/
or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_MUST_VERIFY_TRUST/) {
$untrusted = 1;
}
}
if ($untrusted) {