]> granicus.if.org Git - curl/commitdiff
projects / curl / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6b27703)
Skip more untrusted certificates.
authorGuenter Knauf <lists@gknw.net>
Sun, 4 Aug 2013 19:30:11 +0000 (21:30 +0200)
committerGuenter Knauf <lists@gknw.net>
Sun, 4 Aug 2013 19:30:11 +0000 (21:30 +0200)
Christian Heimes brought to our attention that the certdata.txt
format has recently changed [1], causing ca-bundle.crt created
with mk-ca-bundle.[pl|vbs] to include untrusted certs.

[1] http://lists.debian.org/debian-release/2012/11/msg00411.html

lib/mk-ca-bundle.pl patch | blob | history
lib/mk-ca-bundle.vbs patch | blob | history

diff --git a/lib/mk-ca-bundle.pl b/lib/mk-ca-bundle.pl
index edede426126bc4af4db65ececdedc246310b9339..873f8fb772574505e56008e22abee1803573a523 100755 (executable)
--- a/lib/mk-ca-bundle.pl
+++ b/lib/mk-ca-bundle.pl
@@ -40,7 +40,7 @@ my $url = 'http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/
 # If the OpenSSL commandline is not in search path you can configure it here!
 my $openssl = 'openssl';
 
-my $version = '1.18';
+my $version = '1.19';
 
 $opt_w = 76; # default base64 encoded lines length
 
@@ -185,8 +185,9 @@ while (<TXT>) {
     while (<TXT>) {
       last if (/^#/);
       if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/
-          or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/) {
-          $untrusted = 1;
+          or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/
+          or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_MUST_VERIFY_TRUST/) {
+        $untrusted = 1;
       }
     }
     if ($untrusted) {
diff --git a/lib/mk-ca-bundle.vbs b/lib/mk-ca-bundle.vbs
index ec9f4520b64e57a9f2be409041d594a1b3c01f18..a8b2358a14064f5a050d945a3ab5e6e1a6f06561 100755 (executable)
--- a/lib/mk-ca-bundle.vbs
+++ b/lib/mk-ca-bundle.vbs
@@ -26,7 +26,7 @@
 '* Hacked by Guenter Knauf\r
 '***************************************************************************\r
 Option Explicit\r
-Const myVersion = "0.3.7"\r
+Const myVersion = "0.3.8"\r
 \r
 Const myUrl = "http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1"\r
 \r
@@ -131,7 +131,8 @@ For i = 0 To UBound(myLines)
       While (i < UBound(myLines)) And Not (myLines(i) = "#")\r
         i = i + 1\r
         If (InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED") Or _\r
-           InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN")) Then\r
+           InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN") Or _\r
+           InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST")) Then\r
           myUntrusted = TRUE\r
         End If\r
       Wend\r
Unnamed repository; edit this file 'description' to name the repository.