On Fri, 2017-04-07 at 10:38 +0200, Kamil Dudka wrote: > > Although we build libcurl against NSS now, it loads the same CA bundle as > if we built it against OpenSSL: > > /etc/pki/tls/certs/ca-bundle.crt > > So I doubt it could actually take advantage of those extra flags. This file doesn't contain the distrust flags. The correct file would be /etc/pki/tls/certs/ca-bundle.trust.crt > If you > have a reproducer at hand, you can give it a try. I currently don't know of a public test site that uses a blacklisted certificate. As long as libcurl/openssl doesn't load the right file, we don't need to test. When you're able to switch openssl to use the correct one, I can help to create a test for that. > > Even if you switch that to the distrust list, you still don't get the > > partial distrust, which may be implemented at the NSS code level (such as > > date based distrust for StartCom/WoSign roots, and the domain constraints > > for some CA). > > You say "may be implemented at the NSS code level". The intention was to say, that additional distrust rules might get implemented at the NSS code level in the future. > Do I understand it > correctly that NSS currently does not implement the date based distrust > and the domain constraints? NSS does implement them, see the places where the wiki page mentions NSS: https://wiki.mozilla.org/CA:Root_Store_Trust_Mods Kai _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
