Using system SSL certificates...

Thiago Macieira thiago at kde.org
Fri Jan 29 21:21:17 GMT 2010 

Em Sexta-feira 29. Janeiro 2010, às 21.53.55, Andreas Hartmetz escreveu:
> On Friday 29 January 2010 14:30:37 Thiago Macieira wrote:
> > Em Sexta-feira 29 Janeiro 2010, às 14:04:06, Pierre Schmitz escreveu:
> > > > I've already made a script to do that. Actually, a Qt program.
> > > > 
> > > > I'll probably update Qt's certificate list with the Firefox ones for
> > > > the next  Qt version.
> > > > 
> > > > So all KDE has to do is stop overriding Qt's default certificate
> > > > bundle.
> > > 
> > > I would appreciate if KDE and Qt would use the system wide cert bundle
> > > (optionally configurable at build time).
> > 
> > The only thing that's holding me back in updating the Qt certificates is
> > to decide whether keeping expired certificates is a good thing.
> > 
> > There are 81 certificates in Qt's bundle. One of them is repeated, so 80
> > are unique.
> > 
> > However, from those 80, 8 have expired already.
> > 
> > Of the 72 non-expired, unique certificates in Qt, 48 are *not* in the
> > Firefox certificate store. But when the remainder of the Firefox ones are
> > added, the total increases to 120.
> 
> I'd really want *only* the certificates from Firefox and no expired
> certificates. Expired certificates generate an SSL error when connecting,
> just like a missing certificate. So the only change for client code is a
> different SSL error.
> Can you do that - i.e. just sync with Firefox?
> Or introduce a policy to remove expired certificates after n years and
> otherwise sync with Firefox... As I mentioned, the type of SSL error won't
> matter very much.
> If you can't do that, would you mind posting the script to download the
> certificates? :)

Attaching the program. I'm going to add it to Qt's util/ dir.

As you can see, it downloads the certificates from the XML file in 
http://www.mozilla.org/projects/security/certs/included/. That's the only 
resource I found in Mozilla. If there are more certificates, it would be nice 
to know about them.

The Qt non-Firefox certificates contain the likes of VeriSign, Thawte and 
Equifax. The question is: why are those well-known certificates in Qt but not 
in Firefox?

-- 
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
  Senior Product Manager - Nokia, Qt Development Frameworks
      PGP/GPG: 0x6EF45358; fingerprint:
      E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358
-------------- next part --------------
A non-text attachment was scrubbed...
Name: main.cpp
Type: text/x-c++src
Size: 18851 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20100129/85aba8a0/attachment.cpp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20100129/85aba8a0/attachment.sig>

More information about the kde-core-devel mailing list