Repo does have a purpose about ca-bundle HOT 12 CLOSED

Hm, yes maybe that's an idea! But isn't that even better tracked in the upstream mercurial repo?

from ca-bundle.

It's not a 1:1 though there is processing and also just because they update on some frequency doesn't mean you will. It would be good to have a history of what is being distributed, whether it's here or in curl-www. In other words I'd like to be able to tell if at point in time x whether the website was distributing a bundle with certificate y

from ca-bundle.

Yeah. That's also a pretty good reason to consider something automatic in that fashion for my script on the site...

from ca-bundle.

I've now at least made the backend script on the curl site keep the old version when an updated one is received.

from ca-bundle.

Is there a way to authenticate that an attacker has not hacked into and uploaded a bad copy into https://curl.haxx.se/docs/caextract.html (assumes they can hack into the webserver, so the SSL encryption just proves it is coming from the webserver that was broken into)

Right now we checksum our downloads to detect tampering and every time that URL updates it is indistinguishable from the site getting backdoored, so our builds break.

The nice thing about this repo is that each new version is a new sha with a new url, so we can pin on a version and upgrade on our schedule and not have builds break when you push new content here.

We also do this with everything else that we download so that when ruby-2.3.1.tar.gz or whatever gets released we add the checksum to our configs and point at the new URL -- but the old ruby-2.3.0.tar.gz does not get broken when the upstream releases a new version.

And fundamentally https://curl.haxx.se/docs/caextract.html is an unversioned asset, which is bad. I really badly want a URL with a version string in it.

from ca-bundle.

Right, you don't know that curl.haxx.se wasn't broken into, but you also don't know that about github.com. And neither can actually know that the source Mozilla host hasn't been compromised in such a manner. Those are risks we need to accept I think.

The fact that caextract is unversioned is a mixed blessing. Most users appreciate that they can get the latest CA bundle with a fixed URL.

I intend to introduce "versioned" PEM files on the curl.haxx.se site as well, as the automated script actually now keeps formerly generated files as well. That will create fixed URLs to PEMs from dates in time when the remote bundle was updated.

I don't mind keeping this repo around for an indefinite time forward and I won't remove it anytime soon. The main downside with it is that it isn't fully automated so the commit/push of updated bundles are done manually. The curl web site version is fully automated and runs daily and thus catches up on upstream changes sooner.

from ca-bundle.

But the way that our system is, we explicitly don't trust you until we made a choice to bump the software. Until that point we're automatically validating checksums on downloads so we will break if there's any tampering in the URLs that we download. We could actually detect hostile backdoors that way. If someone hacks into github right now and somehow changes this repo so that the URL that we're downloading from has a cert which is effectively a backdoor then we'd see our checksums change and the build would break. The problem with the curl.haxx.se urls is that every time you publish a new one it causes the checksums to break.

We've engineered how we consume the ca-certs file to explicitly not accept those risks. And it works fine for pretty much everything we download except for the ca-certs bundle.

from ca-bundle.

The problem with the curl.haxx.se urls is that every time you publish a new one it causes the checksums to break.

Right, and then you discover that and fix it. If you don't discover the new bundle you keep using the outdated bundle... 😄

Anyway, I've made the caextract page on curl.haxx.se provide static URLs to specific bundles now that won't change over time.

from ca-bundle.

Right, and then you discover that and fix it. If you don't discover the new bundle you keep using the outdated bundle... :smile:

yeah, but we'd prefer to do it on our own timing...

Anyway, I've made the caextract page on curl.haxx.se provide static URLs to specific bundles now that won't change over time.

sweet, that's all that we need...

from ca-bundle.

Okay now this repo has no purpose 👍

from ca-bundle.

hehe, thanks. I don't have any immediate plans to take it anywhere though...

from ca-bundle.

yeah, peeps prolly have old references to it, you definitely shouldn't nuke it, but afaik you can close this issue... =)

from ca-bundle.