On 12/13/2011 06:14 PM, DJ Lucas wrote:
On 12/12/2011 01:23 PM, Sergei Zhirikov wrote:Hi,I believe there is a problem with the instructions to install CA certificates: http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cacerts.html The script that extract certificates from Mozilla's certdata.txt explicitly rejects only certificates that have CKA_TRUST_SERVER_AUTH set to CKT_NETSCAPE_TRUST_UNKNOWN, which is kind of pointless, because: $ grep ^CKA_TRUST_SERVER_AUTH certdata.txt | sort -u CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN There is no "CKT_NETSCAPE_TRUST_UNKNOWN", but there is "CKT_NSS_TRUST_UNKNOWN". And there is also "CKT_NSS_NOT_TRUSTED". So it looks like the script extracts all the certificates, including those explicitly distrusted by Mozilla. Also, it seems a bit strange that only CKA_TRUST_SERVER_AUTH is checked, because certificates can be used for things other than server authentication (although I don't know if there are any certificates on the list that have different trust level for different purposes). -- Kind Regards, Sergei.Yes, it looks like they changed things upstream. We'll get on it ASAP. Thanks for the report. -- DJ Lucas
This should work... -- DJ Lucas -- This message has been scanned for viruses and dangerous content, and is believed to be clean.
make-ca.sh
Description: Bourne shell script
-- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
