On Wed, Sep 28, 2011 at 02:27:47PM +0200, Thomas Bächler wrote:
Am 27.09.2011 23:30, schrieb Jan de Groot:
I dropped a new curl in testing a few days ago with only one real change. It now builds and uses its own cacert bundle which is dropped in /etc/ssl/certs/ca-bundle.crt. This is similar to the ca-certificates bundle, but taken directly from Mozilla and processed with an in tree perl script.
With this, the ca-certificates dep is of course removed. I don't expect any regressions, but please dig up your curl/https powered apps and make sure they still work.
What's the purpose of this? The whole reasoning behind ca-certificates is to have a central certificate store. Remember that the ca-certificates package as maintained by debian originates from NSS, so basically these contain the same certificates.
IMHO this is a big -1 from my side.
Agreed, without further explanation this seems like complete nonsense.
Well, you're both probably right and this should be fixed in ca-certificates. As it currently stands with curl using ca-bundle.crt versus wget using ca-certificate.crt.... $ wget --spider https://signin.ebay.com Spider mode enabled. Check if remote file exists. --2011-09-28 08:36:03-- https://signin.ebay.com/ Resolving signin.ebay.com... 66.211.181.96, 66.135.202.140, 66.135.205.10 Connecting to signin.ebay.com|66.211.181.96|:443... connected. ERROR: cannot verify signin.ebay.com's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA': Unable to locally verify the issuer's authority. To connect to signin.ebay.com insecurely, use `--no-check-certificate'. $ curl -I https://signin.ebay.com HTTP/1.1 200 OK Server: Apache-Coyote/1.1 ETag: W/"354-1117144930000" Last-Modified: Thu, 26 May 2005 22:02:10 GMT Content-Type: text/html Content-Length: 354 So we're missing the VeriSign Class 3 cert which seems extremely odd. As per Verisign[1], all class 3 root certs are in valid and should remain in root certificate bundles. I'd love to do a comparison and find out what else is missing from the debian sourced bundle, but there's no comments in the ca-certificates file which makes that job a bit more difficult. dave [1] http://www.verisign.com/support/roots.html