Using system SSL certificates...
Andreas Hartmetz
ahartmetz at gmail.com
Fri Jan 29 20:53:55 GMT 2010
On Friday 29 January 2010 14:30:37 Thiago Macieira wrote:
> Em Sexta-feira 29 Janeiro 2010, às 14:04:06, Pierre Schmitz escreveu:
> > > I've already made a script to do that. Actually, a Qt program.
> > >
> > > I'll probably update Qt's certificate list with the Firefox ones for
> > > the next Qt version.
> > >
> > > So all KDE has to do is stop overriding Qt's default certificate
> > > bundle.
> >
> > I would appreciate if KDE and Qt would use the system wide cert bundle
> > (optionally configurable at build time).
>
> The only thing that's holding me back in updating the Qt certificates is to
> decide whether keeping expired certificates is a good thing.
>
> There are 81 certificates in Qt's bundle. One of them is repeated, so 80
> are unique.
>
> However, from those 80, 8 have expired already.
>
> Of the 72 non-expired, unique certificates in Qt, 48 are *not* in the
> Firefox certificate store. But when the remainder of the Firefox ones are
> added, the total increases to 120.
I'd really want *only* the certificates from Firefox and no expired
certificates. Expired certificates generate an SSL error when connecting, just
like a missing certificate. So the only change for client code is a different
SSL error.
Can you do that - i.e. just sync with Firefox?
Or introduce a policy to remove expired certificates after n years and
otherwise sync with Firefox... As I mentioned, the type of SSL error won't
matter very much.
If you can't do that, would you mind posting the script to download the
certificates? :)
More information about the kde-core-devel
mailing list