Using system SSL certificates...

[Andreas Hartmetz]

On Friday 29 January 2010 14:30:37 Thiago Macieira wrote:
> Em Sexta-feira 29 Janeiro 2010, às 14:04:06, Pierre Schmitz escreveu:
> > > I've already made a script to do that. Actually, a Qt program.
> > > 
> > > I'll probably update Qt's certificate list with the Firefox ones for
> > > the next  Qt version.
> > > 
> > > So all KDE has to do is stop overriding Qt's default certificate
> > > bundle.
> > 
> > I would appreciate if KDE and Qt would use the system wide cert bundle
> > (optionally configurable at build time).
> 
> The only thing that's holding me back in updating the Qt certificates is to
> decide whether keeping expired certificates is a good thing.
> 
> There are 81 certificates in Qt's bundle. One of them is repeated, so 80
> are unique.
> 
> However, from those 80, 8 have expired already.
> 
> Of the 72 non-expired, unique certificates in Qt, 48 are *not* in the
> Firefox certificate store. But when the remainder of the Firefox ones are
> added, the total increases to 120.

I'd really want *only* the certificates from Firefox and no expired 
certificates. Expired certificates generate an SSL error when connecting, just 
like a missing certificate. So the only change for client code is a different 
SSL error.
Can you do that - i.e. just sync with Firefox?
Or introduce a policy to remove expired certificates after n years and 
otherwise sync with Firefox... As I mentioned, the type of SSL error won't 
matter very much.
If you can't do that, would you mind posting the script to download the 
certificates? :)