[arch-dev-public] [signoff] curl 7.22.0-2

Dave Reisner d at falconindy.com
Wed Sep 28 11:01:21 EDT 2011

On Wed, Sep 28, 2011 at 04:39:20PM +0200, Jan de Groot wrote:
> On Wed, 2011-09-28 at 08:52 -0400, Dave Reisner wrote:
> > So we're missing the VeriSign Class 3 cert which seems extremely odd.
> > As per Verisign[1], all class 3 root certs are in valid and should
> > remain in root certificate bundles.
> We're not missing it in ca-certificates, we just have a different one.
> Both ca-bundle.crt and ca-certificates.crt contain the same serial
> number for this certificate, the only difference I can find is this:
> Signature Algorithm: sha1WithRSAEncryption
> Signature Algorithm: md2WithRSAEncryption
> curl uses GNUTLS, which doesn't support MD2. OpenSSL should support it,

Our curl does not link against gnutls. Upstream doesn't recommend this,
either, when openssl is available.

> know how far the application has to go to support it.
> Our ca-certificates package contains these CAs that are not in mozilla
> NSS:
> - brasil.gov.br
wget can't verify this cert.

> - debconf.org
wget can't verify this cert.

> - signet.pl
wget can't verify this cert. The common name is
www.bptp.lodz.telekomunikacja.pl, but wget won't verify that either.

> We patch cacert.org and spi-inc.org into NSS, so that narrows the list a
> bit. IMHO we should just drop ca-certificates in its current shape and
> replace it with a dump from our NSS package. We could even discuss about
> the inclusion of spi-inc.org and cacert certificates.

Sure, I'm very interested in doing this. The current certs package is
pretty ugly. Unfortunately, every distro seems to have their own method
of managing this.


More information about the arch-dev-public mailing list