On Fri, 2017-04-07 at 10:38 +0200, Kamil Dudka wrote:
Although we build libcurl against NSS now, it loads the same CA bundle as
if we built it against OpenSSL:
/etc/pki/tls/certs/ca-bundle.crt
So I doubt it could actually take advantage of those extra flags.
This file doesn't contain the distrust flags.
The correct file would be /etc/pki/tls/certs/ca-bundle.trust.crt
If you
have a reproducer at hand, you can give it a try.
I currently don't know of a public test site that uses a blacklisted
certificate.
As long as libcurl/openssl doesn't load the right file, we don't need to test.
When you're able to switch openssl to use the correct one, I can help to create
a test for that.
> Even if you switch that to the distrust list, you still
don't get the
> partial distrust, which may be implemented at the NSS code level (such as
> date based distrust for StartCom/WoSign roots, and the domain constraints
> for some CA).
You say "may be implemented at the NSS code level".
The intention was to say, that additional distrust rules might get implemented
at the NSS code level in the future.
Do I understand it
correctly that NSS currently does not implement the date based distrust
and the domain constraints?
NSS does implement them, see the places where the wiki page mentions NSS:
https://wiki.mozilla.org/CA:Root_Store_Trust_Mods
Kai