[arch-dev-public] [signoff] curl 7.22.0-2

Dave Reisner d at falconindy.com
Wed Sep 28 08:52:16 EDT 2011

On Wed, Sep 28, 2011 at 02:27:47PM +0200, Thomas Bächler wrote:
> Am 27.09.2011 23:30, schrieb Jan de Groot:
> >> I dropped a new curl in testing a few days ago with only one real
> >> change. It now builds and uses its own cacert bundle which is dropped in
> >> /etc/ssl/certs/ca-bundle.crt. This is similar to the ca-certificates
> >> bundle, but taken directly from Mozilla and processed with an in tree
> >> perl script.
> >>
> >> With this, the ca-certificates dep is of course removed. I don't expect
> >> any regressions, but please dig up your curl/https powered apps and make
> >> sure they still work.
> > 
> > What's the purpose of this? The whole reasoning behind ca-certificates
> > is to have a central certificate store. Remember that the
> > ca-certificates package as maintained by debian originates from NSS, so
> > basically these contain the same certificates.
> > 
> > IMHO this is a big -1 from my side.
> Agreed, without further explanation this seems like complete nonsense.

Well, you're both probably right and this should be fixed in
ca-certificates. As it currently stands with curl using ca-bundle.crt
versus wget using ca-certificate.crt....

$ wget --spider https://signin.ebay.com
Spider mode enabled. Check if remote file exists.
--2011-09-28 08:36:03--  https://signin.ebay.com/
Resolving signin.ebay.com...,,
Connecting to signin.ebay.com||:443... connected.
ERROR: cannot verify signin.ebay.com's certificate, issued by
`/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended
Validation SSL CA':
  Unable to locally verify the issuer's authority.  To connect to
  signin.ebay.com insecurely, use `--no-check-certificate'.

$ curl -I https://signin.ebay.com
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"354-1117144930000"
Last-Modified: Thu, 26 May 2005 22:02:10 GMT
Content-Type: text/html
Content-Length: 354

So we're missing the VeriSign Class 3 cert which seems extremely odd.
As per Verisign[1], all class 3 root certs are in valid and should
remain in root certificate bundles.

I'd love to do a comparison and find out what else is missing from the
debian sourced bundle, but there's no comments in the ca-certificates
file which makes that job a bit more difficult.


[1] http://www.verisign.com/support/roots.html

More information about the arch-dev-public mailing list