Bonjour,
Le 25/11/2013 17:14, Sassan Panahinejad a écrit :
I am dealing with a CA certificate bundle, similar to this one:
https://github.com/twitter/secureheaders/blob/master/config/curl-ca-bundle.crt,
like the example, the one I am dealing with was automatically
generated from mozilla's certdata.txt.
Consider the certificate labelled "Bogus live.com <http://live.com>".
Now I know from some searching that this certificate is intended to
block a bad certificate, but I don't know how this works in an openssl
cert bundle. I am concerned that perhaps the conversion from the
format used by mozilla has lead to the certificate being included as a
trusted cert instead of an explicitly untrusted one.
Note that there are no other associated files (eg: blacklist.txt) (in
either the example given, or the file I am dealing with).
There's no real question in this post.
The author of the script used to create a CA bundle from the Mozilla
root store only took the certificates from this Mozilla root store,
without the associated permissions. This script is incomplete, and the
resulting output should NOT be used.
Therefore, you'll find as a result explicitely distrusted certificates,
such as bogus live.com cert, but also DigiNotar CA certificates,
MD5-collision CA, other bogus certs (gmail, yahoo, etc), and CA
certificates not trusted for SSL use.
Don't use that file, at all.
--
Erwann ABALEA
