Skip more untrusted certificates.

Christian Heimes brought to our attention that the certdata.txt format has recently changed [1], causing ca-bundle.crt created with mk-ca-bundle.[pl|vbs] to include untrusted certs. [1] http://lists.debian.org/debian-release/2012/11/msg00411.html
author: Guenter Knauf <lists@gknw.net> 2013-08-04 21:30:11 +0200
committer: Guenter Knauf <lists@gknw.net> 2013-08-04 21:30:11 +0200
commit: 51f0b798fa572496c56db62dc3970e4ea0b2760c (patch)
tree: 331a51ca3ccb8b5f01492d4d2bc287adb00025c5 /lib/mk-ca-bundle.pl
parent: 6b27703b5f525eccdc0a8409f51de8595c75132a (diff)
download: curl-51f0b798fa572496c56db62dc3970e4ea0b2760c.tar.gz
1 files changed, 4 insertions, 3 deletions
diff --git a/lib/mk-ca-bundle.pl b/lib/mk-ca-bundle.pl
index edede4261..873f8fb77 100755
--- a/lib/mk-ca-bundle.pl
+++ b/lib/mk-ca-bundle.pl
@@ -40,7 +40,7 @@ my $url = 'http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/
 # If the OpenSSL commandline is not in search path you can configure it here!
 my $openssl = 'openssl';
 
-my $version = '1.18';
+my $version = '1.19';
 
 $opt_w = 76; # default base64 encoded lines length
 
@@ -185,8 +185,9 @@ while (<TXT>) {
     while (<TXT>) {
       last if (/^#/);
       if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/
-          or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/) {
-          $untrusted = 1;
+          or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/
+          or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_MUST_VERIFY_TRUST/) {
+        $untrusted = 1;
       }
     }
     if ($untrusted) {
author	Guenter Knauf <lists@gknw.net>	2013-08-04 21:30:11 +0200
committer	Guenter Knauf <lists@gknw.net>	2013-08-04 21:30:11 +0200
commit	51f0b798fa572496c56db62dc3970e4ea0b2760c (patch)
tree	331a51ca3ccb8b5f01492d4d2bc287adb00025c5 /lib/mk-ca-bundle.pl
parent	6b27703b5f525eccdc0a8409f51de8595c75132a (diff)
download	curl-51f0b798fa572496c56db62dc3970e4ea0b2760c.tar.gz