[arch-dev-public] [signoff] curl 7.22.0-2
d at falconindy.com
Wed Sep 28 08:52:16 EDT 2011
On Wed, Sep 28, 2011 at 02:27:47PM +0200, Thomas Bächler wrote:
> Am 27.09.2011 23:30, schrieb Jan de Groot:
> >> I dropped a new curl in testing a few days ago with only one real
> >> change. It now builds and uses its own cacert bundle which is dropped in
> >> /etc/ssl/certs/ca-bundle.crt. This is similar to the ca-certificates
> >> bundle, but taken directly from Mozilla and processed with an in tree
> >> perl script.
> >> With this, the ca-certificates dep is of course removed. I don't expect
> >> any regressions, but please dig up your curl/https powered apps and make
> >> sure they still work.
> > What's the purpose of this? The whole reasoning behind ca-certificates
> > is to have a central certificate store. Remember that the
> > ca-certificates package as maintained by debian originates from NSS, so
> > basically these contain the same certificates.
> > IMHO this is a big -1 from my side.
> Agreed, without further explanation this seems like complete nonsense.
Well, you're both probably right and this should be fixed in
ca-certificates. As it currently stands with curl using ca-bundle.crt
versus wget using ca-certificate.crt....
$ wget --spider https://signin.ebay.com
Spider mode enabled. Check if remote file exists.
--2011-09-28 08:36:03-- https://signin.ebay.com/
Resolving signin.ebay.com... 184.108.40.206, 220.127.116.11, 18.104.22.168
Connecting to signin.ebay.com|22.214.171.124|:443... connected.
ERROR: cannot verify signin.ebay.com's certificate, issued by
https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended
Validation SSL CA':
Unable to locally verify the issuer's authority. To connect to
signin.ebay.com insecurely, use `--no-check-certificate'.
$ curl -I https://signin.ebay.com
HTTP/1.1 200 OK
Last-Modified: Thu, 26 May 2005 22:02:10 GMT
So we're missing the VeriSign Class 3 cert which seems extremely odd.
As per Verisign, all class 3 root certs are in valid and should
remain in root certificate bundles.
I'd love to do a comparison and find out what else is missing from the
debian sourced bundle, but there's no comments in the ca-certificates
file which makes that job a bit more difficult.
More information about the arch-dev-public