Hi, I believe there is a problem with the instructions to install CA certificates: http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cacerts.html
The script that extract certificates from Mozilla's certdata.txt explicitly rejects only certificates that have CKA_TRUST_SERVER_AUTH set to CKT_NETSCAPE_TRUST_UNKNOWN, which is kind of pointless, because: $ grep ^CKA_TRUST_SERVER_AUTH certdata.txt | sort -u CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN There is no "CKT_NETSCAPE_TRUST_UNKNOWN", but there is "CKT_NSS_TRUST_UNKNOWN". And there is also "CKT_NSS_NOT_TRUSTED". So it looks like the script extracts all the certificates, including those explicitly distrusted by Mozilla. Also, it seems a bit strange that only CKA_TRUST_SERVER_AUTH is checked, because certificates can be used for things other than server authentication (although I don't know if there are any certificates on the list that have different trust level for different purposes). -- Kind Regards, Sergei. -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
