Re: [openssl-users] CA certificate bundle bogus certs
Hi, Thanks for your response. I'm sorry my question wasn't clearly defined (it was will this file work correctly? If so, why?), but you seem to have answered nonetheless, thank you. As a followup question, is there a way to include these certs in the way originally intended by the mozilla file (blocking them)? In any case, I There is: https://github.com/agl/extract-nss-root-certs If you need to work on (much) older root stores, too: https://github.com/ralphholz/root-store-archaeology Ralph __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] CA certificate bundle bogus certs
Bonjour, Le 25/11/2013 17:14, Sassan Panahinejad a écrit : I am dealing with a CA certificate bundle, similar to this one: https://github.com/twitter/secureheaders/blob/master/config/curl-ca-bundle.crt, like the example, the one I am dealing with was automatically generated from mozilla's certdata.txt. Consider the certificate labelled Bogus live.com http://live.com. Now I know from some searching that this certificate is intended to block a bad certificate, but I don't know how this works in an openssl cert bundle. I am concerned that perhaps the conversion from the format used by mozilla has lead to the certificate being included as a trusted cert instead of an explicitly untrusted one. Note that there are no other associated files (eg: blacklist.txt) (in either the example given, or the file I am dealing with). There's no real question in this post. The author of the script used to create a CA bundle from the Mozilla root store only took the certificates from this Mozilla root store, without the associated permissions. This script is incomplete, and the resulting output should NOT be used. Therefore, you'll find as a result explicitely distrusted certificates, such as bogus live.com cert, but also DigiNotar CA certificates, MD5-collision CA, other bogus certs (gmail, yahoo, etc), and CA certificates not trusted for SSL use. Don't use that file, at all. -- Erwann ABALEA
Re: [openssl-users] CA certificate bundle bogus certs
Hi Erwann, Thanks for your response. I'm sorry my question wasn't clearly defined (it was will this file work correctly? If so, why?), but you seem to have answered nonetheless, thank you. As a followup question, is there a way to include these certs in the way originally intended by the mozilla file (blocking them)? In any case, I will recommend that the client include some method of checking for key revocation, such as a CRL or OCSP, I assume either of these methods would correctly address the problem (after these certs have been removed from the file)? Thanks Sassan On 25 November 2013 17:03, Erwann Abalea erwann.aba...@keynectis.comwrote: Bonjour, Le 25/11/2013 17:14, Sassan Panahinejad a écrit : I am dealing with a CA certificate bundle, similar to this one: https://github.com/twitter/secureheaders/blob/master/config/curl-ca-bundle.crt, like the example, the one I am dealing with was automatically generated from mozilla's certdata.txt. Consider the certificate labelled Bogus live.com. Now I know from some searching that this certificate is intended to block a bad certificate, but I don't know how this works in an openssl cert bundle. I am concerned that perhaps the conversion from the format used by mozilla has lead to the certificate being included as a trusted cert instead of an explicitly untrusted one. Note that there are no other associated files (eg: blacklist.txt) (in either the example given, or the file I am dealing with). There's no real question in this post. The author of the script used to create a CA bundle from the Mozilla root store only took the certificates from this Mozilla root store, without the associated permissions. This script is incomplete, and the resulting output should NOT be used. Therefore, you'll find as a result explicitely distrusted certificates, such as bogus live.com cert, but also DigiNotar CA certificates, MD5-collision CA, other bogus certs (gmail, yahoo, etc), and CA certificates not trusted for SSL use. Don't use that file, at all. -- Erwann ABALEA
Re: [openssl-users] CA certificate bundle bogus certs
Excellent, just what I was looking for and incidentally a source I can cite to my client. Many thanks! On 25 November 2013 17:24, Ralph Holz ralph-devn...@ralphholz.de wrote: Hi, Thanks for your response. I'm sorry my question wasn't clearly defined (it was will this file work correctly? If so, why?), but you seem to have answered nonetheless, thank you. As a followup question, is there a way to include these certs in the way originally intended by the mozilla file (blocking them)? In any case, I There is: https://github.com/agl/extract-nss-root-certs If you need to work on (much) older root stores, too: https://github.com/ralphholz/root-store-archaeology Ralph
