On Friday, April 07, 2017 11:01:35 Kai Engert wrote: > On Fri, 2017-04-07 at 10:38 +0200, Kamil Dudka wrote: > > Although we build libcurl against NSS now, it loads the same CA bundle as > > if we built it against OpenSSL: > > > > /etc/pki/tls/certs/ca-bundle.crt > > > > So I doubt it could actually take advantage of those extra flags. > > This file doesn't contain the distrust flags. > > The correct file would be /etc/pki/tls/certs/ca-bundle.trust.crt Yes, but it does not make sense to load such a file by nss-pem because it does not support those flags anyway. The correct fix for NSS-linked libcurl would probably be to just disable loading the CA roots from file by default. > > If you > > have a reproducer at hand, you can give it a try. > > I currently don't know of a public test site that uses a blacklisted > certificate. > > As long as libcurl/openssl doesn't load the right file, we don't need to > test. > > When you're able to switch openssl to use the correct one, I can help to > create a test for that. > > > > Even if you switch that to the distrust list, you still don't get the > > > partial distrust, which may be implemented at the NSS code level (such > > > as > > > date based distrust for StartCom/WoSign roots, and the domain > > > constraints > > > for some CA). > > > > You say "may be implemented at the NSS code level". > > The intention was to say, that additional distrust rules might get > implemented at the NSS code level in the future. > > > Do I understand it > > correctly that NSS currently does not implement the date based distrust > > and the domain constraints? > > NSS does implement them, see the places where the wiki page mentions NSS: > https://wiki.mozilla.org/CA:Root_Store_Trust_Mods Thanks for the link! I did not know it was implemented while talking about this topic with curl upstream recently (and Daniel Stenberg, who works for Mozilla, did not know it either). It is good that it is implemented in NSS now. Kamil > Kai _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
