Age | Commit message (Collapse) | Author |
|
The previously applied patch didnt work on Windows; we cant rely
on shell commands like 'echo' since they act diffently on each
platform and each shell.
In order to keep this script platform-independent the code must
only use pure Perl.
|
|
The OpenSSL pipe wrote to the final CA bundle file, but the encoded PEM
output wrote to a temporary file. Consequently, the OpenSSL output was
lost when the temp file was renamed to the final file at script finish
(overwriting the final file written earlier by openssl).
Patch posted to the list by Richard Michael (rmichael edgeofthenet org).
|
|
|
|
|
|
|
|
Based on a patch posted to the list by Richard Michael.
|
|
1. When the downloaded data file from Mozilla is current, but the output
bundle does not exist: continue processing to create the bundle. The
goal is to have the output file - not just download the latest input.
2. added -f option to force re-processing the file. Useful for
debugging/testing the process.
3. added support for output to '-' (stdout), allowing the output to be
piped.
4. All progress and error messages go to STDERR rather than STDOUT (3)
5. The script opened and closed the output file many times
unnecessarily. It now opens it once, does the output and closes it.
6. Backup of the input files happens after successful processing, not
before.
7. The output is written to a temporary file, and renamed to the
requested name after backup - this greatly reduces the window where the
file can be seen partially written.
8. all die calls have a \n at the end to suppress perl's traceback - the
traceback isn't useful to end users.
Patch: http://curl.haxx.se/mail/lib-2013-01/0045.html
|
|
Each certificate section of the input certdata.txt file has a trust
section following it with details.
This script failed to detect the start of the trust for at least one
cert[*], which made the script continue pass that section into the next
one where it found an 'untrusted' marker and as a result that certficate
was not included in the output.
[*] = "Hellenic Academic and Research Institutions RootCA 2011"
Bug: http://curl.haxx.se/mail/lib-2012-09/0019.html
|
|
This reverts commit f7e2ab6.
This change caused fetching of the certificates to become unreliable.
Bug: http://curl.haxx.se/mail/lib-2012-03/0238.html
Reported by: Tim Heckman
|
|
This reverts commit 9f0e1689f169b83b8fbdae23e0024cc57dcbc770.
It turned out that "improvement" instead made the fetching of the
certificates unreliable
Bug: http://curl.haxx.se/mail/lib-2012-03/0238.html
Reported by: Tim Heckman
|
|
An alternative would be:
1. specify HTTPS_CA_DIR and/or HTTPS_CA_FILE
2. ensure that Net::SSL is being used, and IO::Socket::SSL is NOT being
used
This question and answer explain:
http://stackoverflow.com/questions/74358/
|
|
|
|
Fix posted by Tomas Hoger <thoger redhat com>.
|
|
|
|
|
|
|
|
When I decided to search for a potential error with the cacert bundle it
struck me I wanted to see the full source URL in the output...
|
|
|
|
Posted to the list by Quanah Gibson-Mount [quanah zimbra.com].
|
|
|
|
Only download and convert the certdata to the ca-bundle.crt if Mozilla
changed the data
The Perl LWP module (which in a bit of a circular reference is used by
mk-ca-bundle.pl) is now indirectly using this script. I made this small
tweak to make it easier to automatically maintain the generated
ca-bundle.crt file in version control.
|
|
The official Mozilla page at
http://www.mozilla.org/projects/security/certs/ points out a new place
as the "proper" place to get Mozilla's CA certs from so this script is
now updated to use that instead.
Reported by: Daniel Mentz
|
|
|
|
|
|
|
|
|
|
|
|
|
|
interface, and the proxy would send Connection: close during the
authentication phase. http://curl.haxx.se/bug/view.cgi?id=2069047
|
|
|
|
|
|
before help option; trial to add a version number.
|
|
|
|
added -t switch to make text info of CAs optional;
added -q switch to be really quiet.
|
|
file.
|
|
|
|
|
|
|
|
added a switch to display certdata.txt version header.
|
|
|