aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorGuenter Knauf <lists@gknw.net>2013-08-04 21:30:11 +0200
committerGuenter Knauf <lists@gknw.net>2013-08-04 21:30:11 +0200
commit51f0b798fa572496c56db62dc3970e4ea0b2760c (patch)
tree331a51ca3ccb8b5f01492d4d2bc287adb00025c5 /lib
parent6b27703b5f525eccdc0a8409f51de8595c75132a (diff)
Skip more untrusted certificates.
Christian Heimes brought to our attention that the certdata.txt format has recently changed [1], causing ca-bundle.crt created with mk-ca-bundle.[pl|vbs] to include untrusted certs. [1] http://lists.debian.org/debian-release/2012/11/msg00411.html
Diffstat (limited to 'lib')
-rwxr-xr-xlib/mk-ca-bundle.pl7
-rwxr-xr-xlib/mk-ca-bundle.vbs5
2 files changed, 7 insertions, 5 deletions
diff --git a/lib/mk-ca-bundle.pl b/lib/mk-ca-bundle.pl
index edede4261..873f8fb77 100755
--- a/lib/mk-ca-bundle.pl
+++ b/lib/mk-ca-bundle.pl
@@ -40,7 +40,7 @@ my $url = 'http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/
# If the OpenSSL commandline is not in search path you can configure it here!
my $openssl = 'openssl';
-my $version = '1.18';
+my $version = '1.19';
$opt_w = 76; # default base64 encoded lines length
@@ -185,8 +185,9 @@ while (<TXT>) {
while (<TXT>) {
last if (/^#/);
if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/
- or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/) {
- $untrusted = 1;
+ or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/
+ or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_MUST_VERIFY_TRUST/) {
+ $untrusted = 1;
}
}
if ($untrusted) {
diff --git a/lib/mk-ca-bundle.vbs b/lib/mk-ca-bundle.vbs
index ec9f4520b..a8b2358a1 100755
--- a/lib/mk-ca-bundle.vbs
+++ b/lib/mk-ca-bundle.vbs
@@ -26,7 +26,7 @@
'* Hacked by Guenter Knauf
'***************************************************************************
Option Explicit
-Const myVersion = "0.3.7"
+Const myVersion = "0.3.8"
Const myUrl = "http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1"
@@ -131,7 +131,8 @@ For i = 0 To UBound(myLines)
While (i < UBound(myLines)) And Not (myLines(i) = "#")
i = i + 1
If (InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED") Or _
- InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN")) Then
+ InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN") Or _
+ InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST")) Then
myUntrusted = TRUE
End If
Wend