aboutsummaryrefslogtreecommitdiff
path: root/lib/mk-ca-bundle.pl
AgeCommit message (Collapse)Author
2014-10-23Some cosmetics and simplifies.Guenter Knauf
2014-10-23Remove dependency on openssl and cut.Guenter Knauf
Prefer usage of Perl modules for sha1 calculation since there might be systems where openssl is not installed or not in path. If openssl is used for sha1 calculation then dont rely on cut since it is usually not available on other systems than Linux.
2014-10-15mk-ca-bundle: added SHA-384 signature algorithmBruno Thomsen
Certificates based on SHA-1 are being phased out[1]. So we should expect a rise in certificates based on SHA-2. Adding SHA-384 as a valid signature algorithm. [1] https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
2014-09-11mk-ca-bundle.pl: converted tabs to spaces, deleted trailing spacesViktor Szakáts
2014-09-10mk-ca-bundle.pl: first, try downloading HTTPS with curlDaniel Stenberg
As a sort of step forward, this script will now first try to get the data from the HTTPS URL using curl, and only if that fails it will switch back to the HTTP transfer using perl's native LWP functionality. To reduce the risk of this script being tricked. Using HTTPS to get a cert bundle introduces a chicken-and-egg problem so we can't really ever completely disable HTTP, but chances are that most users already have a ca cert bundle that trusts the mozilla.org site that this script downloads from. A future version of this script will probably switch to require a dedicated "insecure" command line option to allow downloading over HTTP (or unverified HTTPS).
2014-08-13mk-ca-bundle.pl: add missing $Daniel Stenberg
2014-08-13mk-ca-bundle.pl: switched to using hg.mozilla.orgDaniel Stenberg
... as mxr.mozilla.org is due to be retired. The new host doesn't support If-Modified-Since nor ETags, meaning that the script will now defer to download and do a post-transfer checksum check to see if a new output is to be generated. The new output format will hold the SHA1 checksum of the source file for that purpose. We call this version 1.22 Reported-by: Ed Morley Bug: http://curl.haxx.se/bug/view.cgi?id=1409
2014-05-08mk-ca-bundle: added -pPatrick Watson
-p takes a list of Mozilla trust purposes and levels for certificates to include in output. Takes the form of a comma separated list of purposes, a colon, and a comma separated list of levels.
2014-01-05mk-ca-bundle.pl: avoid warnings with -d without parameterDaniel Stenberg
2014-01-05mk-ca-bundle: introduces -d and warns about using this scriptLeif W
2013-08-05Simplify check for trusted certificates.Guenter Knauf
This changes the previous check for untrusted certs to a check for certs explicitely marked as trusted. The change is backward-compatible (tested with certdata.txt v1.80).
2013-08-04Skip more untrusted certificates.Guenter Knauf
Christian Heimes brought to our attention that the certdata.txt format has recently changed [1], causing ca-bundle.crt created with mk-ca-bundle.[pl|vbs] to include untrusted certs. [1] http://lists.debian.org/debian-release/2012/11/msg00411.html
2013-04-10Fixed lost OpenSSL output with "-t" - followup.Guenter Knauf
The previously applied patch didnt work on Windows; we cant rely on shell commands like 'echo' since they act diffently on each platform and each shell. In order to keep this script platform-independent the code must only use pure Perl.
2013-04-09Fixed lost OpenSSL output with "-t".Guenter Knauf
The OpenSSL pipe wrote to the final CA bundle file, but the encoded PEM output wrote to a temporary file. Consequently, the OpenSSL output was lost when the temp file was renamed to the final file at script finish (overwriting the final file written earlier by openssl). Patch posted to the list by Richard Michael (rmichael edgeofthenet org).
2013-04-04Another small output fix for --help and --version.Guenter Knauf
2013-04-04Fixed version output.Guenter Knauf
2013-04-04Added support for --help and --version options.Guenter Knauf
2013-04-04Added option to specify length of base64 output.Guenter Knauf
Based on a patch posted to the list by Richard Michael.
2013-01-05mk-ca-bundle: add -f, support passing to stdout and moreDaniel Stenberg
1. When the downloaded data file from Mozilla is current, but the output bundle does not exist: continue processing to create the bundle. The goal is to have the output file - not just download the latest input. 2. added -f option to force re-processing the file. Useful for debugging/testing the process. 3. added support for output to '-' (stdout), allowing the output to be piped. 4. All progress and error messages go to STDERR rather than STDOUT (3) 5. The script opened and closed the output file many times unnecessarily. It now opens it once, does the output and closes it. 6. Backup of the input files happens after successful processing, not before. 7. The output is written to a temporary file, and renamed to the requested name after backup - this greatly reduces the window where the file can be seen partially written. 8. all die calls have a \n at the end to suppress perl's traceback - the traceback isn't useful to end users. Patch: http://curl.haxx.se/mail/lib-2013-01/0045.html
2012-09-04mk-ca-bundle: detect start of trust section betterDaniel Stenberg
Each certificate section of the input certdata.txt file has a trust section following it with details. This script failed to detect the start of the trust for at least one cert[*], which made the script continue pass that section into the next one where it found an 'untrusted' marker and as a result that certficate was not included in the output. [*] = "Hellenic Academic and Research Institutions RootCA 2011" Bug: http://curl.haxx.se/mail/lib-2012-09/0019.html
2012-04-04Revert "access the CA source file using HTTPS"Tim Heckman
This reverts commit f7e2ab6. This change caused fetching of the certificates to become unreliable. Bug: http://curl.haxx.se/mail/lib-2012-03/0238.html Reported by: Tim Heckman
2012-03-31Revert "mk-ca-bundle.pl: use LWP::UserAgent for https"Daniel Stenberg
This reverts commit 9f0e1689f169b83b8fbdae23e0024cc57dcbc770. It turned out that "improvement" instead made the fetching of the certificates unreliable Bug: http://curl.haxx.se/mail/lib-2012-03/0238.html Reported by: Tim Heckman
2012-03-10mk-ca-bundle.pl: use LWP::UserAgent with proper https verify behavior.John Joseph Bachir
An alternative would be: 1. specify HTTPS_CA_DIR and/or HTTPS_CA_FILE 2. ensure that Net::SSL is being used, and IO::Socket::SSL is NOT being used This question and answer explain: http://stackoverflow.com/questions/74358/
2012-03-10access the CA source file using HTTPSJohn Joseph Bachir
2011-09-20Also skip certs masked as CKT_NSS_TRUST_UNKNOWN.Guenter Knauf
Fix posted by Tomas Hoger <thoger redhat com>.
2011-09-04Fixed final message output.Guenter Knauf
2011-09-04Fix to skip untrusted certs.Guenter Knauf
2011-04-14Replaced var manipulations with perlish hacks.Guenter Knauf
2011-04-07mk-ca-bundle.pl: show full URL in outputDaniel Stenberg
When I decided to search for a potential error with the cacert bundle it struck me I wanted to see the full source URL in the output...
2011-04-01Increased script version.Guenter Knauf
2011-04-01Make use of proxy vars if set.Guenter Knauf
Posted to the list by Quanah Gibson-Mount [quanah zimbra.com].
2011-04-01Use var again instead of hard-coded filename.Guenter Knauf
2011-03-14mk-ca-bundle.pl: Only download if modifiedAsk Bjørn Hansen
Only download and convert the certdata to the ca-bundle.crt if Mozilla changed the data The Perl LWP module (which in a bit of a circular reference is used by mk-ca-bundle.pl) is now indirectly using this script. I made this small tweak to make it easier to automatically maintain the generated ca-bundle.crt file in version control.
2011-02-02mk-ca-bundle.pl: use new cacert urlDaniel Stenberg
The official Mozilla page at http://www.mozilla.org/projects/security/certs/ points out a new place as the "proper" place to get Mozilla's CA certs from so this script is now updated to use that instead. Reported by: Daniel Mentz
2010-07-22Fixed script version which was still based on CVS Revision tag.Guenter Knauf
2010-03-24restore executable bits on some filesDaniel Stenberg
2010-03-24remove the CVSish $Id$ linesDaniel Stenberg
2010-02-14removed trailing whitespaceYang Tse
2008-08-23removed obsolete slash in URL.Gunter Knauf
2008-08-23revert accidental commitDaniel Stenberg
2008-08-23- Constantine Sapuntzakis fixed a bug when doing proxy CONNECT with the multiDaniel Stenberg
interface, and the proxy would send Connection: close during the authentication phase. http://curl.haxx.se/bug/view.cgi?id=2069047
2008-08-21use a more updated certdata.txt URLDaniel Stenberg
2008-02-15fixed version var.Gunter Knauf
2008-02-15moved info block up before help block so that it can also be displayed ↵Gunter Knauf
before help option; trial to add a version number.
2008-02-11open pipe to openssl commandline instead of writing into temp file.Gunter Knauf
2008-02-11added strict to make sure all vars are properly defined;Gunter Knauf
added -t switch to make text info of CAs optional; added -q switch to be really quiet.
2008-02-10added -b switch to provide a backup functionality for existing ca-bundle.crt ↵Gunter Knauf
file.
2008-02-09fixed another wrong var in error message.Gunter Knauf
2008-02-09fixed wrong var in error message.Gunter Knauf
2008-02-08use argument to specify output filename if present.Gunter Knauf