Re: Extrace Mozilla trusted certs into PEM files?
On Tue, Aug 11, 2009 at 10:24:22AM -0700, Nelson B Bolyard wrote: yes, i was asking about anonymous ssh - the above url assumes write cvs access. Please file a bug with bugzilla.mozilla.org, product mozilla.org, component Server Operations (or perhaps Server Operations Security) requesting that an anonymous ssh account be created for read-only access on the CVS mirrors. Please CC me on that bug. Thanks. bug 509927. for those badly needing some version of NSS over secure channel, they can hg clone/pull mozilla-central over HTTPS (though i haven't checked how hg deals with bad certs). -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Extrace Mozilla trusted certs into PEM files?
On 2009-08-10 10:24 PDT, Georgi Guninski wrote: On Mon, Aug 10, 2009 at 09:44:55AM -0700, Nelson B Bolyard wrote: https://developer.mozilla.org/en/Mozilla_Source_Code_Via_CVS#CVS_Client_Settings These instructions don't show the use of ssh. I'm not sure that the combination of anonymous cvs and ssh is available at this time. It was not available a year ago, but ... See https://developer.mozilla.org/en/Using_SSH_to_connect_to_CVS yes, i was asking about anonymous ssh - the above url assumes write cvs access. Please file a bug with bugzilla.mozilla.org, product mozilla.org, component Server Operations (or perhaps Server Operations Security) requesting that an anonymous ssh account be created for read-only access on the CVS mirrors. Please CC me on that bug. Thanks. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Extrace Mozilla trusted certs into PEM files?
On Fri, Aug 07, 2009 at 04:29:40PM -0700, Nelson Bolyard wrote: OK, so do a cvs checkout over ssh instead. how do i do this? (i don't have a cvs account on .m.o) ? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Extrace Mozilla trusted certs into PEM files?
On 2009-08-10 01:52 PDT, Georgi Guninski wrote: On Fri, Aug 07, 2009 at 04:29:40PM -0700, Nelson Bolyard wrote: OK, so do a cvs checkout over ssh instead. how do i do this? (i don't have a cvs account on .m.o) You may use anonymous cvs to pull the source. # setenv CVSROOT :pserver:anonym...@cvs-mirror.mozilla.org:/cvsroot # cvs login At the password prompt, type anonymous # cd local directory to be root of your checked out source tree # cvs checkout NSS(gets entire tree_ or # cvs/checkout mozilla/security/nss/whatever file you want https://developer.mozilla.org/en/Mozilla_Source_Code_Via_CVS#CVS_Client_Settings These instructions don't show the use of ssh. I'm not sure that the combination of anonymous cvs and ssh is available at this time. It was not available a year ago, but ... See https://developer.mozilla.org/en/Using_SSH_to_connect_to_CVS -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Extrace Mozilla trusted certs into PEM files?
On Mon, Aug 10, 2009 at 09:44:55AM -0700, Nelson B Bolyard wrote: https://developer.mozilla.org/en/Mozilla_Source_Code_Via_CVS#CVS_Client_Settings These instructions don't show the use of ssh. I'm not sure that the combination of anonymous cvs and ssh is available at this time. It was not available a year ago, but ... See https://developer.mozilla.org/en/Using_SSH_to_connect_to_CVS yes, i was asking about anonymous ssh - the above url assumes write cvs access. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Extrace Mozilla trusted certs into PEM files?
Nelson Bolyard wrote: On 2009-08-06 03:47, Michael Ströder wrote: Eddy Nigg wrote: Quite a while ago, I read a message from someone saying he had devised, or was going to devise, a scheme to extract all of Mozilla's trusted root certs from NSS and make PEM files from them, and use them as trusted certs in some other non-NSS-based product. Does anyone remember that? Can you point me to the person(s) who did that? I'd like to ask them about it, and maybe reuse it. Yes, that was Curl and here the link to the page http://curl.netmirror.org/docs/caextract.html and this is the tool: http://curl.netmirror.org/docs/parse-certs.txt It's about trust after all... So I wonder whether there's a chance to verify the integrity of http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt Compare it to the master copy at http://mxr.mozilla.org/security/source/security/nss/lib/ckfw/builtins/certdata.txt Nelson, that's not even a HTTPS URL. Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Extrace Mozilla trusted certs into PEM files?
Eddy Nigg wrote: Quite a while ago, I read a message from someone saying he had devised, or was going to devise, a scheme to extract all of Mozilla's trusted root certs from NSS and make PEM files from them, and use them as trusted certs in some other non-NSS-based product. Does anyone remember that? Can you point me to the person(s) who did that? I'd like to ask them about it, and maybe reuse it. Yes, that was Curl and here the link to the page http://curl.netmirror.org/docs/caextract.html and this is the tool: http://curl.netmirror.org/docs/parse-certs.txt It's about trust after all... So I wonder whether there's a chance to verify the integrity of http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt Any list of fingerprints of the CA certs therein one could obtain (out-of-band)? Going to all the CA's web sites will not be overly effective I guess... :-/ Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Extrace Mozilla trusted certs into PEM files?
On Thu, 6 Aug 2009, Eddy Nigg wrote: Yes, that was Curl and here the link to the page http://curl.netmirror.org/docs/caextract.html and this is the tool: http://curl.netmirror.org/docs/parse-certs.txt Please don't use that site. It is an outdated mirror with old contents. :-( The current page is at http://curl.haxx.se/docs/caextract.html and you'll note that it features a different script. The old one was so kludgy, slow and hard to read we had to let it go. -- / daniel.haxx.se -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Extrace Mozilla trusted certs into PEM files?
On 08/06/2009 01:54 PM, Daniel Stenberg: On Thu, 6 Aug 2009, Eddy Nigg wrote: Yes, that was Curl and here the link to the page http://curl.netmirror.org/docs/caextract.html and this is the tool: http://curl.netmirror.org/docs/parse-certs.txt Please don't use that site. It is an outdated mirror with old contents. :-( The current page is at http://curl.haxx.se/docs/caextract.html and you'll note that it features a different script. The old one was so kludgy, slow and hard to read we had to let it go. Cool, thanks for the update! -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Extrace Mozilla trusted certs into PEM files?
Michael Ströder wrote: Any list of fingerprints of the CA certs therein one could obtain (out-of-band)? Going to all the CA's web sites will not be overly effective I guess... :-/ We have SHA-1 fingerprints for a number of included roots on the included page: http://www.mozilla.org/projects/security/certs/included/ The underlying source for this is an XML file, so it should be reasonably straightforward to parse. The page above is not complete. However Kathleen Wilson is working on doing a complete list of all roots included in NSS (and thus in Firefox, et.al.): http://www.mozilla.org/projects/security/certs/BuiltIn-CAs/ She did not include fingerprints in that list, but it sounds like a reasonable thing to add. I suggest bringing this up in the discussion thread about this: http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/791684fa7b490e96# Also, like the list above this list is generated from an XML file. Frank -- Frank Hecker hec...@mozillafoundation.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Extrace Mozilla trusted certs into PEM files?
On 2009-08-06 03:47, Michael Ströder wrote: Eddy Nigg wrote: Quite a while ago, I read a message from someone saying he had devised, or was going to devise, a scheme to extract all of Mozilla's trusted root certs from NSS and make PEM files from them, and use them as trusted certs in some other non-NSS-based product. Does anyone remember that? Can you point me to the person(s) who did that? I'd like to ask them about it, and maybe reuse it. Yes, that was Curl and here the link to the page http://curl.netmirror.org/docs/caextract.html and this is the tool: http://curl.netmirror.org/docs/parse-certs.txt It's about trust after all... So I wonder whether there's a chance to verify the integrity of http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt Compare it to the master copy at http://mxr.mozilla.org/security/source/security/nss/lib/ckfw/builtins/certdata.txt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Extrace Mozilla trusted certs into PEM files?
Hi all, Quite a while ago, I read a message from someone saying he had devised, or was going to devise, a scheme to extract all of Mozilla's trusted root certs from NSS and make PEM files from them, and use them as trusted certs in some other non-NSS-based product. Does anyone remember that? Can you point me to the person(s) who did that? I'd like to ask them about it, and maybe reuse it. Thanks, /Nelson -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Extrace Mozilla trusted certs into PEM files?
On 2009-08-05 17:05 PDT, Eddy Nigg wrote: There's a perl script to extract all the data from the certdata.txt file. You can find it at http://www.floodgap.com/software/ttytter/mk-ca-bundle.txt . LOL, that was quick, but I beat you by a few seconds ;-) Thanks, Eddy and Kyle. Wan-Teh, I inquired based on an inquiry from someone who does not use NSS. The users of this feature are OpenSSL users only. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto