Граф коммитов

47 Коммитов

Автор SHA1 Сообщение Дата
Daniel Stenberg 076c0ab683 mk-ca-bundle.pl: add missing $ 2014-08-13 23:49:01 +02:00
Daniel Stenberg 57b53918d1 mk-ca-bundle.pl: switched to using hg.mozilla.org
... as mxr.mozilla.org is due to be retired.

The new host doesn't support If-Modified-Since nor ETags, meaning that
the script will now defer to download and do a post-transfer checksum
check to see if a new output is to be generated. The new output format
will hold the SHA1 checksum of the source file for that purpose.

We call this version 1.22

Reported-by: Ed Morley
Bug: http://curl.haxx.se/bug/view.cgi?id=1409
2014-08-13 23:42:53 +02:00
Patrick Watson 94898303d2 mk-ca-bundle: added -p
-p takes a list of Mozilla trust purposes and levels for certificates to
include in output.  Takes the form of a comma separated list of
purposes, a colon, and a comma separated list of levels.
2014-05-08 11:37:45 +02:00
Daniel Stenberg 619d1704ae mk-ca-bundle.pl: avoid warnings with -d without parameter 2014-01-05 23:53:26 +01:00
Leif W d5f1590d5c mk-ca-bundle: introduces -d and warns about using this script 2014-01-05 23:38:32 +01:00
Guenter Knauf 0ce410a629 Simplify check for trusted certificates.
This changes the previous check for untrusted certs to a check for
certs explicitely marked as trusted.
The change is backward-compatible (tested with certdata.txt v1.80).
2013-08-05 13:02:27 +02:00
Guenter Knauf 51f0b798fa Skip more untrusted certificates.
Christian Heimes brought to our attention that the certdata.txt
format has recently changed [1], causing ca-bundle.crt created
with mk-ca-bundle.[pl|vbs] to include untrusted certs.

[1] http://lists.debian.org/debian-release/2012/11/msg00411.html
2013-08-04 21:30:11 +02:00
Guenter Knauf 577703495e Fixed lost OpenSSL output with "-t" - followup.
The previously applied patch didnt work on Windows; we cant rely
on shell commands like 'echo' since they act diffently on each
platform and each shell.
In order to keep this script platform-independent the code must
only use pure Perl.
2013-04-10 00:20:37 +02:00
Guenter Knauf 88535d593e Fixed lost OpenSSL output with "-t".
The OpenSSL pipe wrote to the final CA bundle file, but the encoded PEM
output wrote to a temporary file.  Consequently, the OpenSSL output was
lost when the temp file was renamed to the final file at script finish
(overwriting the final file written earlier by openssl).
Patch posted to the list by Richard Michael (rmichael edgeofthenet org).
2013-04-09 16:59:57 +02:00
Guenter Knauf fbc35d394c Another small output fix for --help and --version. 2013-04-04 04:02:12 +02:00
Guenter Knauf ce8a35c318 Fixed version output. 2013-04-04 00:23:58 +02:00
Guenter Knauf c3fa3aaf2c Added support for --help and --version options. 2013-04-04 00:21:10 +02:00
Guenter Knauf 8efd74de46 Added option to specify length of base64 output.
Based on a patch posted to the list by Richard Michael.
2013-04-04 00:02:49 +02:00
Daniel Stenberg cc4ac82bb6 mk-ca-bundle: add -f, support passing to stdout and more
1. When the downloaded data file from Mozilla is current, but the output
bundle does not exist: continue processing to create the bundle.  The
goal is to have the output file - not just download the latest input.

2. added -f option to force re-processing the file.  Useful for
debugging/testing the process.

3. added support for output to '-' (stdout), allowing the output to be
piped.

4. All progress and error messages go to STDERR rather than STDOUT (3)

5. The script opened and closed the output file many times
unnecessarily.  It now opens it once, does the output and closes it.

6. Backup of the input files happens after successful processing, not
before.

7. The output is written to a temporary file, and renamed to the
requested name after backup - this greatly reduces the window where the
file can be seen partially written.

8. all die calls have a \n at the end to suppress perl's traceback - the
traceback isn't useful to end users.

Patch: http://curl.haxx.se/mail/lib-2013-01/0045.html
2013-01-05 23:51:12 +01:00
Daniel Stenberg 3a0b64489f mk-ca-bundle: detect start of trust section better
Each certificate section of the input certdata.txt file has a trust
section following it with details.

This script failed to detect the start of the trust for at least one
cert[*], which made the script continue pass that section into the next
one where it found an 'untrusted' marker and as a result that certficate
was not included in the output.

[*] = "Hellenic Academic and Research Institutions RootCA 2011"

Bug: http://curl.haxx.se/mail/lib-2012-09/0019.html
2012-09-04 23:21:15 +02:00
Tim Heckman f9bb5d2984 Revert "access the CA source file using HTTPS"
This reverts commit f7e2ab6.

This change caused fetching of the certificates to become unreliable.

Bug: http://curl.haxx.se/mail/lib-2012-03/0238.html
Reported by: Tim Heckman
2012-04-04 23:54:02 +02:00
Daniel Stenberg 33d044a862 Revert "mk-ca-bundle.pl: use LWP::UserAgent for https"
This reverts commit 9f0e1689f1.

It turned out that "improvement" instead made the fetching of the
certificates unreliable

Bug: http://curl.haxx.se/mail/lib-2012-03/0238.html
Reported by: Tim Heckman
2012-03-31 19:51:36 +02:00
John Joseph Bachir 9f0e1689f1 mk-ca-bundle.pl: use LWP::UserAgent with proper https verify behavior.
An alternative would be:

1. specify HTTPS_CA_DIR and/or HTTPS_CA_FILE
2. ensure that Net::SSL is being used, and IO::Socket::SSL is NOT being
   used

This question and answer explain:
http://stackoverflow.com/questions/74358/
2012-03-10 15:51:24 +01:00
John Joseph Bachir f7e2ab629e access the CA source file using HTTPS 2012-03-10 15:50:27 +01:00
Guenter Knauf cd3cf55b47 Also skip certs masked as CKT_NSS_TRUST_UNKNOWN.
Fix posted by Tomas Hoger <thoger redhat com>.
2011-09-20 12:05:31 +02:00
Guenter Knauf d52f3eb598 Fixed final message output. 2011-09-04 22:05:32 +02:00
Guenter Knauf 809cde5416 Fix to skip untrusted certs. 2011-09-04 17:05:49 +02:00
Guenter Knauf e84730948d Replaced var manipulations with perlish hacks. 2011-04-14 01:27:39 +02:00
Daniel Stenberg 23544f35fd mk-ca-bundle.pl: show full URL in output
When I decided to search for a potential error with the cacert bundle it
struck me I wanted to see the full source URL in the output...
2011-04-07 22:42:22 +02:00
Guenter Knauf c37ad9e909 Increased script version. 2011-04-01 15:04:53 +02:00
Guenter Knauf 5eda4bf726 Make use of proxy vars if set.
Posted to the list by Quanah Gibson-Mount [quanah zimbra.com].
2011-04-01 14:58:36 +02:00
Guenter Knauf e02c90dc19 Use var again instead of hard-coded filename. 2011-04-01 14:38:01 +02:00
Ask Bjørn Hansen 3e00af34c8 mk-ca-bundle.pl: Only download if modified
Only download and convert the certdata to the ca-bundle.crt if Mozilla
changed the data

The Perl LWP module (which in a bit of a circular reference is used by
mk-ca-bundle.pl) is now indirectly using this script. I made this small
tweak to make it easier to automatically maintain the generated
ca-bundle.crt file in version control.
2011-03-14 10:20:21 +01:00
Daniel Stenberg ec7978c512 mk-ca-bundle.pl: use new cacert url
The official Mozilla page at
http://www.mozilla.org/projects/security/certs/ points out a new place
as the "proper" place to get Mozilla's CA certs from so this script is
now updated to use that instead.

Reported by: Daniel Mentz
2011-02-02 22:22:15 +01:00
Guenter Knauf 0fa4b41c2b Fixed script version which was still based on CVS Revision tag. 2010-07-22 04:29:54 +02:00
Daniel Stenberg be28825b2d restore executable bits on some files 2010-03-24 11:07:35 +01:00
Daniel Stenberg 2309b4e330 remove the CVSish $Id$ lines 2010-03-24 11:02:54 +01:00
Yang Tse a07bc79117 removed trailing whitespace 2010-02-14 19:40:18 +00:00
Gunter Knauf b718283327 removed obsolete slash in URL. 2008-08-23 21:31:09 +00:00
Daniel Stenberg f46d47239f revert accidental commit 2008-08-23 12:14:05 +00:00
Daniel Stenberg 13dc82b9d4 - Constantine Sapuntzakis fixed a bug when doing proxy CONNECT with the multi
interface, and the proxy would send Connection: close during the
  authentication phase.  http://curl.haxx.se/bug/view.cgi?id=2069047
2008-08-23 12:11:38 +00:00
Daniel Stenberg 81b64f69a5 use a more updated certdata.txt URL 2008-08-21 17:51:22 +00:00
Gunter Knauf cfaf88aab4 fixed version var. 2008-02-15 00:41:54 +00:00
Gunter Knauf ecc75be6f3 moved info block up before help block so that it can also be displayed before help option; trial to add a version number. 2008-02-15 00:26:26 +00:00
Gunter Knauf 019f6a1926 open pipe to openssl commandline instead of writing into temp file. 2008-02-11 18:52:45 +00:00
Gunter Knauf df07c87b89 added strict to make sure all vars are properly defined;
added -t switch to make text info of CAs optional;
added -q switch to be really quiet.
2008-02-11 15:00:00 +00:00
Gunter Knauf 08e5c0812f added -b switch to provide a backup functionality for existing ca-bundle.crt file. 2008-02-10 01:29:24 +00:00
Gunter Knauf a8c71961e0 fixed another wrong var in error message. 2008-02-09 15:32:54 +00:00
Gunter Knauf 63d595a047 fixed wrong var in error message. 2008-02-09 15:00:07 +00:00
Gunter Knauf c764331dd9 use argument to specify output filename if present. 2008-02-08 02:38:12 +00:00
Gunter Knauf 586444b6b8 fixed regex to fetch certdata.txt version since it was replaced by CVS (argh!)
added a switch to display certdata.txt version header.
2008-02-08 01:58:11 +00:00
Gunter Knauf d76a74cc5e added Perl script to create a fresh ca-bundle.crt. 2008-02-08 01:08:25 +00:00