Skip Menu |

This queue is for tickets about the Mozilla-CA CPAN distribution.

Report information
The Basics
Id: 70967
Status: open
Priority: 0/
Queue: Mozilla-CA
People
Owner: Nobody in particular
Requestors: thoger [...] redhat.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Sep 14 12:45:52 2011 thoger [...] redhat.com - Ticket created
Subject: Mozilla::CA - do not add untrusted CAs from mozilla certdata.txt to cacert.pem
Date: Wed, 14 Sep 2011 18:46:00 +0200
To: bug-Mozilla-CA [...] rt.cpan.org
From: Tomas Hoger <thoger [...] redhat.com>
Hi! cacert.pem in the latest Mozilla-CA version (20110904) seems to have been generated with old mk-ca-bundle.pl that is unable to cope with untrusted certificates from certdata.txt. You should really be using current version that is able to skip those CAs that are imported to nss/mozilla bundle flagged as untrusted: https://github.com/bagder/curl/commit/809cde54166f959cdc84359306b4db22bb3f4c12 Changelog for the 20110904 says: - Remove and distrust DigiNotar seems to refer to: https://github.com/gisle/mozilla-ca/commit/842a12430b4e99c1caeb64340136d03c6dfb7280 which removes DigiNotar cert, re-adds it and also re-adds all other DigiNotar intermediates that nss/mozilla has as untrusted. th.
  Wed Sep 14 13:42:48 2011 GAAS [...] cpan.org - Correspondence added
I've updated the mk-ca-bundle script and reran ./update-cacert-file and pushed the result back to github. Ask, do you want to push another CPAN release?
  Wed Sep 14 13:42:49 2011 The RT System itself - Status changed from 'new' to 'open'
  Wed Sep 14 21:27:47 2011 ABH [...] cpan.org - Correspondence added
Yikes. Thanks Thomas. I was wondering about them being in the certdata.txt file, the change log from mozilla wasn't really clear to me so I thought "this certificate isn't really trusted" was encoded in the base64 data; but thinking about it now that was pretty dumb! Thank you again. I'll push a new release to CPAN shortly.
  Wed Sep 14 21:27:49 2011 ABH [...] cpan.org - Status changed from 'open' to 'resolved'
  Mon Sep 26 03:50:24 2011 thoger [...] redhat.com - Correspondence added
Subject: Re: [rt.cpan.org #70967] Mozilla::CA - do not add untrusted CAs from mozilla certdata.txt to cacert.pem
Date: Mon, 26 Sep 2011 09:50:47 +0200
To: bug-Mozilla-CA [...] rt.cpan.org
From: Tomas Hoger <thoger [...] redhat.com>
Hi! An FYI, mk-ca-bundle.pl got another update that makes it skip CAs that are marked as trusted for issuing email and/or code signing certificates in NSS, but are not marked as trusted or explicitly untrusted for server identification certs in the NSS builtins database. https://github.com/bagder/curl/commit/cd3cf55b47332769a0e737feb9c5a6d48dce5de9 th.
  Mon Sep 26 03:50:24 2011 The RT System itself - Status changed from 'resolved' to 'open'
  Sun Oct 09 03:00:57 2011 ask [...] perl.org - Correspondence added
Subject: Re: [rt.cpan.org #70967] Mozilla::CA - do not add untrusted CAs from mozilla certdata.txt to cacert.pem
Date: Sun, 9 Oct 2011 00:00:50 -0700
To: bug-Mozilla-CA [...] rt.cpan.org
From: Ask Bjørn Hansen <ask [...] perl.org>
On Sep 26, 2011, at 0:50, Tomas Hoger via RT wrote: Show quoted text
> > An FYI, mk-ca-bundle.pl got another update that makes it skip CAs > that are marked as trusted for issuing email and/or code signing > certificates in NSS, but are not marked as trusted or explicitly > untrusted for server identification certs in the NSS builtins database. > > https://github.com/bagder/curl/commit/cd3cf55b47332769a0e737feb9c5a6d48dce5de9
Thanks Tomas! I added that to Mozilla::CA, too. I didn't make a release yet; can you glance over the changes to the CA file and confirm that it looks right? There are several of the certificates that I'd have expected from the name etc to be good that got removed. https://github.com/gisle/mozilla-ca/commit/9db65fdee937b6c74f73c16b7524e1c32b50e43c - ask
  Sun Oct 09 13:43:07 2011 thoger [...] redhat.com - Correspondence added
Subject: Re: [rt.cpan.org #70967] Mozilla::CA - do not add untrusted CAs from mozilla certdata.txt to cacert.pem
Date: Sun, 9 Oct 2011 19:45:27 +0200
To: bug-Mozilla-CA [...] rt.cpan.org
From: Tomas Hoger <thoger [...] redhat.com>
On Sun, 9 Oct 2011 03:00:58 -0400 ask@perl.org via RT wrote: Show quoted text
> I added that to Mozilla::CA, too. I didn't make a release yet; can > you glance over the changes to the CA file and confirm that it looks > right? There are several of the certificates that I'd have expected > from the name etc to be good that got removed. > > https://github.com/gisle/mozilla-ca/commit/9db65fdee937b6c74f73c16b7524e1c32b50e43c
As mentioned in my previous email, all those certificates that got removed when updated mk-ca-bundle.pl was used are not marked as trusted for issuing server identifications certs in NSS (see CKA_TRUST_SERVER_AUTH for relevant certs). If the purpose of Mozilla::CA is to provide a cert bundle to be used by SSL clients to check server SSL certificates, there should be no need to include CAs that should only issue email or code signing certs. I have double checked CAs removed in the above commit to confirm that they are trusted for email or code signing only. One exception is "UTN-USER First-Network Applications", which does not seem to be trusted for either of the uses in NSS. My guess is the removal of Verisign CAs raised the concerns, so I checked those against: https://www.verisign.com/support/roots.html Verisign Class 1 Public Primary Certification Authority This root CA is used today to sign all Class 1e-mail certificates. Verisign Class 2 Public Primary Certification Authority retired Verisign Class 1 Public Primary Certification Authority - G2 retired Verisign Class 2 Public Primary Certification Authority - G2 This root CA is used today to sign Class 2 client certificates issued through VeriSign's Managed PKI Service. Verisign Class 1 Public Primary Certification Authority - G3 This root CA will be used today to sign all Class 1e-mail certificates starting in Q4 2010 Verisign Class 2 Public Primary Certification Authority - G3 This root CA is used today to sign Class 2 client certificates issued through VeriSign's Managed PKI Service. th.
  Tue Oct 25 02:46:11 2011 ABH [...] cpan.org - Correspondence added
Thanks again Thomas, this has been released as 20111025.
  Tue Oct 25 02:46:11 2011 ABH [...] cpan.org - Status changed from 'open' to 'resolved'
  Tue Oct 25 02:46:51 2011 ABH [...] cpan.org - Correspondence added
On Tue Oct 25 02:46:11 2011, ABH wrote: Show quoted text
> Thanks again Thomas, this has been released as 20111025.
Gah, also thanks to Tomas. You'd think with my name I'd know to be more careful spelling other peoples names!
  Tue Oct 25 02:46:52 2011 The RT System itself - Status changed from 'resolved' to 'open'