summaryrefslogtreecommitdiff
path: root/lib/mk-ca-bundle.pl
Commit message (Collapse)AuthorAgeFilesLines
* mk-ca-bundle.pl: Check curl's exit code after certdata downloadJay Satiro2017-06-161-1/+1
| | | | | | | | | | - No longer allow partial downloads of certdata. Prior to this change partial downloads were (erroneously?) allowed since only the server code was checked to be 200. Bug: https://github.com/curl/curl/pull/1577 Reported-by: Matteo B.
* mk-ca-bundle.vbs: Fix UTF-8 outputJay Satiro2016-10-301-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | - Change initial message box to mention delay when downloading/parsing. Since there is no progress meter it was somewhat unexpected that after choosing a filename nothing appears to happen, when actually the cert data is in the process of being downloaded and parsed. - Warn if OpenSSL is not present. - Use a UTF-8 stream to make the ca-bundle data. - Save the UTF-8 ca-bundle stream as binary so that no BOM is added. --- This is a follow-up to d2c6d15 which switched mk-ca-bundle.vbs output to ANSI due to corrupt UTF-8 output, now fixed. This change completes making the default certificate bundle output of mk-ca-bundle.vbs as close as possible to that of mk-ca-bundle.pl, which should make it easier to review any difference between their output. Ref: https://github.com/curl/curl/pull/1012
* mk-ca-bundle: Update the vbscript versionJay Satiro2016-10-251-2/+3
| | | | | | | | | | | | | | | | | | | | | | | Bring the VBScript version more in line with the perl version: - Change timestamp to UTC. - Change URL retrieval to HTTPS-only by default. - Comment out the options that disabled SSL cert checking by default. - Assume OpenSSL is present, get SHA256. And add a flag to toggle it. - Fix cert issuer name output. The cert issuer output is now ansi, converted from UTF-8. Prior to this it was corrupt UTF-8. It turns out though we can work with UTF-8 the FSO object that writes ca-bundle can't write UTF-8, so there will have to be some alternative if UTF-8 is needed (like an ADODB.Stream). - Disable the certificate text info feature. The certificate text info doesn't work properly with any recent OpenSSL.
* mk-ca-bundle: Change URL retrieval to HTTPS-only by defaultJay Satiro2016-10-241-38/+83
| | | | | | | | | | | | | - Change all predefined Mozilla URLs to HTTPS (Gregory Szorc). - New option -k to allow URLs other than HTTPS and enable HTTP fallback. Prior to this change the default URL retrieval mode was to fall back to HTTP if HTTPS didn't work. Reported-by: Gregory Szorc Closes #1012
* mk-ca-bundle.pl: use SHA256 instead of SHA1Viktor Szakats2016-09-071-14/+14
| | | | | This hash is used to verify the original downloaded certificate bundle and also included in the generated bundle's comment header. Also rename related internal symbols to algorithm-agnostic names.
* mk-ca-bundle.pl: -m keeps ca cert meta data in outputDaniel Stenberg2016-08-041-9/+17
| | | | | | | Makes the script pass on comments holding meta data to the output file. Like fingerprinters, issuer, date ranges etc. Closes #937
* URLs: change all http:// URLs to https://Daniel Stenberg2016-02-031-1/+1
|
* mk-ca-bundle bugfix: Don't report SHA1 numbers with "-q".Alexander Pepper2015-03-111-15/+20
| | | | Also unified printing to STDERR by creating the helper method "report".
* mk-ca-bundle.pl: restored forced run again.Guenter Knauf2014-12-131-1/+1
|
* mk-ca-bundle: spell fix "version"Daniel Stenberg2014-10-281-1/+1
|
* Cosmetics: lowercase non-special subroutine names.Guenter Knauf2014-10-261-15/+15
|
* Some cosmetics and simplifies.Guenter Knauf2014-10-231-30/+21
|
* Remove dependency on openssl and cut.Guenter Knauf2014-10-231-12/+28
| | | | | | | Prefer usage of Perl modules for sha1 calculation since there might be systems where openssl is not installed or not in path. If openssl is used for sha1 calculation then dont rely on cut since it is usually not available on other systems than Linux.
* mk-ca-bundle: added SHA-384 signature algorithmBruno Thomsen2014-10-151-1/+2
| | | | | | | | | | Certificates based on SHA-1 are being phased out[1]. So we should expect a rise in certificates based on SHA-2. Adding SHA-384 as a valid signature algorithm. [1] https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
* mk-ca-bundle.pl: converted tabs to spaces, deleted trailing spacesViktor Szakáts2014-09-111-14/+14
|
* mk-ca-bundle.pl: first, try downloading HTTPS with curlDaniel Stenberg2014-09-101-6/+30
| | | | | | | | | | | | | | | | As a sort of step forward, this script will now first try to get the data from the HTTPS URL using curl, and only if that fails it will switch back to the HTTP transfer using perl's native LWP functionality. To reduce the risk of this script being tricked. Using HTTPS to get a cert bundle introduces a chicken-and-egg problem so we can't really ever completely disable HTTP, but chances are that most users already have a ca cert bundle that trusts the mozilla.org site that this script downloads from. A future version of this script will probably switch to require a dedicated "insecure" command line option to allow downloading over HTTP (or unverified HTTPS).
* mk-ca-bundle.pl: add missing $Daniel Stenberg2014-08-131-1/+1
|
* mk-ca-bundle.pl: switched to using hg.mozilla.orgDaniel Stenberg2014-08-131-15/+56
| | | | | | | | | | | | | | ... as mxr.mozilla.org is due to be retired. The new host doesn't support If-Modified-Since nor ETags, meaning that the script will now defer to download and do a post-transfer checksum check to see if a new output is to be generated. The new output format will hold the SHA1 checksum of the source file for that purpose. We call this version 1.22 Reported-by: Ed Morley Bug: http://curl.haxx.se/bug/view.cgi?id=1409
* mk-ca-bundle: added -pPatrick Watson2014-05-081-12/+147
| | | | | | -p takes a list of Mozilla trust purposes and levels for certificates to include in output. Takes the form of a comma separated list of purposes, a colon, and a comma separated list of levels.
* mk-ca-bundle.pl: avoid warnings with -d without parameterDaniel Stenberg2014-01-051-0/+5
|
* mk-ca-bundle: introduces -d and warns about using this scriptLeif W2014-01-051-6/+46
|
* Simplify check for trusted certificates.Guenter Knauf2013-08-051-5/+3
| | | | | | This changes the previous check for untrusted certs to a check for certs explicitely marked as trusted. The change is backward-compatible (tested with certdata.txt v1.80).
* Skip more untrusted certificates.Guenter Knauf2013-08-041-3/+4
| | | | | | | | Christian Heimes brought to our attention that the certdata.txt format has recently changed [1], causing ca-bundle.crt created with mk-ca-bundle.[pl|vbs] to include untrusted certs. [1] http://lists.debian.org/debian-release/2012/11/msg00411.html
* Fixed lost OpenSSL output with "-t" - followup.Guenter Knauf2013-04-101-6/+13
| | | | | | | | The previously applied patch didnt work on Windows; we cant rely on shell commands like 'echo' since they act diffently on each platform and each shell. In order to keep this script platform-independent the code must only use pure Perl.
* Fixed lost OpenSSL output with "-t".Guenter Knauf2013-04-091-3/+3
| | | | | | | | The OpenSSL pipe wrote to the final CA bundle file, but the encoded PEM output wrote to a temporary file. Consequently, the OpenSSL output was lost when the temp file was renamed to the final file at script finish (overwriting the final file written earlier by openssl). Patch posted to the list by Richard Michael (rmichael edgeofthenet org).
* Another small output fix for --help and --version.Guenter Knauf2013-04-041-1/+1
|
* Fixed version output.Guenter Knauf2013-04-041-1/+1
|
* Added support for --help and --version options.Guenter Knauf2013-04-041-1/+8
|
* Added option to specify length of base64 output.Guenter Knauf2013-04-041-5/+10
| | | | Based on a patch posted to the list by Richard Michael.
* mk-ca-bundle: add -f, support passing to stdout and moreDaniel Stenberg2013-01-051-33/+45
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1. When the downloaded data file from Mozilla is current, but the output bundle does not exist: continue processing to create the bundle. The goal is to have the output file - not just download the latest input. 2. added -f option to force re-processing the file. Useful for debugging/testing the process. 3. added support for output to '-' (stdout), allowing the output to be piped. 4. All progress and error messages go to STDERR rather than STDOUT (3) 5. The script opened and closed the output file many times unnecessarily. It now opens it once, does the output and closes it. 6. Backup of the input files happens after successful processing, not before. 7. The output is written to a temporary file, and renamed to the requested name after backup - this greatly reduces the window where the file can be seen partially written. 8. all die calls have a \n at the end to suppress perl's traceback - the traceback isn't useful to end users. Patch: http://curl.haxx.se/mail/lib-2013-01/0045.html
* mk-ca-bundle: detect start of trust section betterDaniel Stenberg2012-09-041-6/+22
| | | | | | | | | | | | | | Each certificate section of the input certdata.txt file has a trust section following it with details. This script failed to detect the start of the trust for at least one cert[*], which made the script continue pass that section into the next one where it found an 'untrusted' marker and as a result that certficate was not included in the output. [*] = "Hellenic Academic and Research Institutions RootCA 2011" Bug: http://curl.haxx.se/mail/lib-2012-09/0019.html
* Revert "access the CA source file using HTTPS"Tim Heckman2012-04-041-1/+1
| | | | | | | | | This reverts commit f7e2ab6. This change caused fetching of the certificates to become unreliable. Bug: http://curl.haxx.se/mail/lib-2012-03/0238.html Reported by: Tim Heckman
* Revert "mk-ca-bundle.pl: use LWP::UserAgent for https"Daniel Stenberg2012-03-311-1/+1
| | | | | | | | | | This reverts commit 9f0e1689f169b83b8fbdae23e0024cc57dcbc770. It turned out that "improvement" instead made the fetching of the certificates unreliable Bug: http://curl.haxx.se/mail/lib-2012-03/0238.html Reported by: Tim Heckman
* mk-ca-bundle.pl: use LWP::UserAgent with proper https verify behavior.John Joseph Bachir2012-03-101-1/+1
| | | | | | | | | | | An alternative would be: 1. specify HTTPS_CA_DIR and/or HTTPS_CA_FILE 2. ensure that Net::SSL is being used, and IO::Socket::SSL is NOT being used This question and answer explain: http://stackoverflow.com/questions/74358/
* access the CA source file using HTTPSJohn Joseph Bachir2012-03-101-1/+1
|
* Also skip certs masked as CKT_NSS_TRUST_UNKNOWN.Guenter Knauf2011-09-201-1/+2
| | | | Fix posted by Tomas Hoger <thoger redhat com>.
* Fixed final message output.Guenter Knauf2011-09-041-1/+1
|
* Fix to skip untrusted certs.Guenter Knauf2011-09-041-21/+29
|
* Replaced var manipulations with perlish hacks.Guenter Knauf2011-04-141-4/+2
|
* mk-ca-bundle.pl: show full URL in outputDaniel Stenberg2011-04-071-1/+1
| | | | | When I decided to search for a potential error with the cacert bundle it struck me I wanted to see the full source URL in the output...
* Increased script version.Guenter Knauf2011-04-011-1/+1
|
* Make use of proxy vars if set.Guenter Knauf2011-04-011-0/+1
| | | | Posted to the list by Quanah Gibson-Mount [quanah zimbra.com].
* Use var again instead of hard-coded filename.Guenter Knauf2011-04-011-1/+1
|
* mk-ca-bundle.pl: Only download if modifiedAsk Bjørn Hansen2011-03-141-12/+13
| | | | | | | | | | Only download and convert the certdata to the ca-bundle.crt if Mozilla changed the data The Perl LWP module (which in a bit of a circular reference is used by mk-ca-bundle.pl) is now indirectly using this script. I made this small tweak to make it easier to automatically maintain the generated ca-bundle.crt file in version control.
* mk-ca-bundle.pl: use new cacert urlDaniel Stenberg2011-02-021-2/+2
| | | | | | | | | The official Mozilla page at http://www.mozilla.org/projects/security/certs/ points out a new place as the "proper" place to get Mozilla's CA certs from so this script is now updated to use that instead. Reported by: Daniel Mentz
* Fixed script version which was still based on CVS Revision tag.Guenter Knauf2010-07-221-1/+1
|
* restore executable bits on some filesDaniel Stenberg2010-03-241-0/+0
|
* remove the CVSish $Id$ linesDaniel Stenberg2010-03-241-1/+0
|
* removed trailing whitespaceYang Tse2010-02-141-3/+3
|
* removed obsolete slash in URL.Gunter Knauf2008-08-231-1/+1
|