On Wed, Jan 07, 2009 at 07:08:28PM -0000, Piotr Czachur wrote: > Btw. > What you mean by "so obviously it's not RFC-compliant in there"? Why certs > come from Mozilla truststore are considered to be non-RFC-compilant?
As I only dump the certificate blobs from certdata.txt out of the nss CSS (Mozilla) this single certificate (or perhaps more?) is obviously in a non-compliant form in there. It would be nice if you could look if there are more non-compliant certs in /usr/share/ca-certificates/mozilla and raise it with the mozilla devs in their bugtracker. But be aware that they are usually slow on such matters. On the other hand two alternative SSL implementations (openssl and nss) are confirmed to work with it and I'd bet that gnutls does too. What I could do, of course, is adjusting the dumping script to rewrite the base64 lines. Do you think it's desireable? I *guess* that the certificate in question once matched the CA's copy but that they were pointed at the non-conformant file. I'd normally expect that what I get from the truststore is equivalent to that what the CA ships, too. Then we shouldn't do transformations on the certificates again. But I'm open for both, I think. Kind regards, Philipp Kern -- .''`. Philipp Kern Debian Developer : :' : http://philkern.de Release Assistant `. `' xmpp:p...@0x539.de Stable Release Manager `- finger pkern/k...@db.debian.org -- ca-certificates differ from those provided by root CA https://bugs.launchpad.net/bugs/314710 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs