[arch-dev-public] [signoff] curl 7.22.0-2
Dave Reisner
d at falconindy.com
Wed Sep 28 11:01:21 EDT 2011
On Wed, Sep 28, 2011 at 04:39:20PM +0200, Jan de Groot wrote:
> On Wed, 2011-09-28 at 08:52 -0400, Dave Reisner wrote:
> > So we're missing the VeriSign Class 3 cert which seems extremely odd.
> > As per Verisign[1], all class 3 root certs are in valid and should
> > remain in root certificate bundles.
>
> We're not missing it in ca-certificates, we just have a different one.
> Both ca-bundle.crt and ca-certificates.crt contain the same serial
> number for this certificate, the only difference I can find is this:
>
> Signature Algorithm: sha1WithRSAEncryption
> Signature Algorithm: md2WithRSAEncryption
>
> curl uses GNUTLS, which doesn't support MD2. OpenSSL should support it,
Our curl does not link against gnutls. Upstream doesn't recommend this,
either, when openssl is available.
> know how far the application has to go to support it.
>
> Our ca-certificates package contains these CAs that are not in mozilla
> NSS:
> - brasil.gov.br
wget can't verify this cert.
> - debconf.org
wget can't verify this cert.
> - signet.pl
wget can't verify this cert. The common name is
www.bptp.lodz.telekomunikacja.pl, but wget won't verify that either.
> We patch cacert.org and spi-inc.org into NSS, so that narrows the list a
> bit. IMHO we should just drop ca-certificates in its current shape and
> replace it with a dump from our NSS package. We could even discuss about
> the inclusion of spi-inc.org and cacert certificates.
Sure, I'm very interested in doing this. The current certs package is
pretty ugly. Unfortunately, every distro seems to have their own method
of managing this.
d
More information about the arch-dev-public
mailing list