From 51f0b798fa572496c56db62dc3970e4ea0b2760c Mon Sep 17 00:00:00 2001 From: Guenter Knauf Date: Sun, 4 Aug 2013 21:30:11 +0200 Subject: Skip more untrusted certificates. Christian Heimes brought to our attention that the certdata.txt format has recently changed [1], causing ca-bundle.crt created with mk-ca-bundle.[pl|vbs] to include untrusted certs. [1] http://lists.debian.org/debian-release/2012/11/msg00411.html --- lib/mk-ca-bundle.pl | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'lib/mk-ca-bundle.pl') diff --git a/lib/mk-ca-bundle.pl b/lib/mk-ca-bundle.pl index edede4261..873f8fb77 100755 --- a/lib/mk-ca-bundle.pl +++ b/lib/mk-ca-bundle.pl @@ -40,7 +40,7 @@ my $url = 'http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/ # If the OpenSSL commandline is not in search path you can configure it here! my $openssl = 'openssl'; -my $version = '1.18'; +my $version = '1.19'; $opt_w = 76; # default base64 encoded lines length @@ -185,8 +185,9 @@ while () { while () { last if (/^#/); if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/ - or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/) { - $untrusted = 1; + or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/ + or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_MUST_VERIFY_TRUST/) { + $untrusted = 1; } } if ($untrusted) { -- cgit v1.2.3