Menu
▾
▴
#1178 CA Extract generated file does allow some Diginotar certificates
CA Extract-generated CA Bundle does still let Diginotar SSL certificates through
The documentation for CA Extract (http://curl.haxx.se/docs/caextract.html) says "These ca cert bundles do not contain the DigiNotar certificates as Mozilla marks them as untrusted and this script knows the markup for that. "
However, there is a number of extra checks in Mozilla outside of the cert bundle in order to . These checks are in Mozilla source code and explicitly block certificates that have been cross-signed by Entrust and Cybertrust.
See comments 9 and 52 in this ticket
https://bugzilla.mozilla.org/show_bug.cgi?id=682927#c9
https://bugzilla.mozilla.org/show_bug.cgi?id=682927#c52
and also see this Mozilla source code patch https://bugzilla.mozilla.org/attachment.cgi?id=556791&action=edit
The test sites in ticket 53 do not work anymore, but a good test site is the Dutch province of Drenthe at https://www.drenthe.nl/ They still use a Diginotar certificate cross-signed by Entrust (yeah). This site is blocked by all major browsers including Firefox, but if you use cURL with validation against the CA Extract-generated CA Bundle, everything is fine and dandy.
My proposal is to generate and use a separate CRL file in order to avoid those hacks like Mozilla did.
Thanks for your report!
Your suggestion is fine and I would certainly enjoy seeing a patch or other improvement that would bring this functionality!
But is that really a bug in this script? If the script converts the certs that are listed as trusted in that remote document, and it doesn't include any that are explicitly listed as not trusted, then the script does what it is supposed to do. Right?
No, it's not a bug in the script. It's a bug in the accompanying documentation, which currently implies that everything Diginotar-related will be perfectly fine, while that's not the case.
Because this made me aware of the 'bigger problem' with people hardcoding stuff into their HTTP clients like Mozilla did it goes along with a suggestion for additional functionality: to add a script or logic to generate a file to be fed into CURLOPT_CRLFILE, and maybe to include a standard CRL PEM file in the distro.
Update: working on a script that gathers all CRL files, similar to the CA Extract script. Will let you know when it's done.
Last edit: Richard Odekerken 2013-01-03
Thanks a lot Richard, eagerly waiting to see what comes out of that!
http://curl.haxx.se/docs/caextract.html has now been updated with info from this report.
This is now considered fixed and I close this issue.