The problem with mozroots in general is that it has a hardcoded URL to Mozilla's Mercurial source code repository embedded where it grabs the certificate list from. This breaks when they change their repo and then mozroots is broken (which has happened in the past). Another problem is that the connection over which this happens can't use SSL (because when you're using mozroots you typically won't yet have any trusted CAs) which is just bad.
Granted, this doesn't affect the use on Windows that much as you can just pass it the file but was a problem on the majority use case which is Linux where we used it during package installation. cert-sync in turn supports importing from the Linux OpenSSL certificate locations and also imports into the Mono trust store that is used by the new BoringSSL TLS provider. Thus it's easier to just standardize on one tool. Hope this helps, Alex On 22.04.2017, at 00:24, Matt Johnson (AZURE) <matt.john...@microsoft.com<mailto:matt.john...@microsoft.com>> wrote: Since that’s sourced from Mozilla anyway, how is this different than using the mozroots utility? Thanks, Matt From: Alexander Köplinger Sent: Friday, April 21, 2017 2:48 PM To: Matt Johnson (AZURE) <matt.john...@microsoft.com<mailto:matt.john...@microsoft.com>> Cc: mono-list@lists.dot.net<mailto:mono-list@lists.dot.net> Subject: Re: [Mono-list] How to use cert-sync on Windows? You can just download curl's list of certificates from https://curl.haxx.se/ca/cacert.pem and then import the list via "cert-sync --user cacert.pem". As far as I'm aware we don't currently support reading the certificates from the Windows certificate store. - Alex On 21.04.2017, at 22:24, Matt Johnson (AZURE) via Mono-list <mono-list@lists.dot.net<mailto:mono-list@lists.dot.net>> wrote: Reading the SSL/TLS FAQ here: http://www.mono-project.com/docs/faq/security/<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.mono-project.com%2Fdocs%2Ffaq%2Fsecurity%2F&data=02%7C01%7Calkpli%40microsoft.com%7C4b57b0b174684614db6e08d488f46d99%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636284030781577238&sdata=mVjubGhaGJcAt%2FfS8HlEeG7owXrE0L43lYIFC3EpAok%3D&reserved=0> And the details on how to use cert-sync here: http://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.mono-project.com%2Fdocs%2Fabout-mono%2Freleases%2F3.12.0%2F%23cert-sync&data=02%7C01%7Calkpli%40microsoft.com%7C4b57b0b174684614db6e08d488f46d99%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636284030781577238&sdata=McGLyj0YpzNHYU1NG7CauPD2KHF%2BkgnC59n4x3oMEpc%3D&reserved=0> I don’t see any details of how to get the ca-bundle.crt file on Windows. The instructions only show Linux and OSX. One would assume it needs to be exported from the Windows certificate store? How is that done? I can use the mozroots utility for now, but it gives the deprecation warning so I’d like to use cert-sync instead. Thanks, Matt _______________________________________________ Mono-list maillist - Mono-list@lists.dot.net<mailto:Mono-list@lists.dot.net> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.dot.net%2Fmailman%2Flistinfo%2Fmono-list&data=02%7C01%7Calkpli%40microsoft.com%7C4b57b0b174684614db6e08d488f46d99%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636284030781577238&sdata=z9m3mhxD35RU8aLmU8fFIEL13givzRLLJ3xEMySShr4%3D&reserved=0
_______________________________________________ Mono-list maillist - Mono-list@lists.dot.net http://lists.dot.net/mailman/listinfo/mono-list
