| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
and non-utf8 bytes escaped.
ok sthen@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Add new root certificates present in Mozilla cert store from CA
organizations who are already in cert.pem (AddTrust, Comodo, DigiCert,
Entrust, GeoTrust, USERTrust).
- Replace Startcom's root with their updated sha256 version present in
Mozilla cert store. (They maintained serial# etc so this is still valid
for existing signed certificates).
- Add two root certificates from CA not previously present:
"C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority"
"C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" (the latter used by yandex.ru)
We are still listing some certificates that have been removed from
Mozilla's store (1024-bit etc) however these cannot be removed until
cert validation is improved (we don't currently accept a certificate
as valid unless the CA is at the end of a chain).
|
| |
|
|
|
|
|
|
|
|
|
| |
(CN if available, otherwise OU).
Add a comment identifying the org. Now to get an easy-to-read list
of certificates in the file you can use "grep ^[#=] cert.pem".
Prepared with https://spacehopper.org/format-pem.20160201. If you would
like to verify this commit to ensure that I didn't sneak in any other
changes, it will be easier to use the script rather than do it by hand.
|
| |
|
|
|
|
|
|
|
| |
aren't really useful (the information can be obtained by feeding the cert
into "openssl x509 -in filename -text") and add a separator between certs
showing the CA's CN or OU (similar to the display format in web browsers).
Include both SHA1 and SHA256 fingerprints for all certificates.
ok beck@ zhuk@ jung@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root
certificate from cert.pem. ok rpe@
Symantec/VeriSign say "Browsers/root store operators are encouraged to
remove/untrust this root from their root stores" and "hasn't been used to
generate new certificates in several years, and will now be repurposed to
provide transition support for some of our enterprise customers' legacy,
non-public applications" (https://www.symantec.com/page.jsp?id=roots,
http://www.scmagazine.com/google-will-remove-trust-of-symantecs-pca3-g1-certificate/article/459688/).
Also see
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941
https://googleonlinesecurity.blogspot.co.uk/2015/12/proactive-measures-in-digital.html
|
| |
|
|
|
|
|
| |
In some cases sites signed by this are covered by the old "AddTrust External
CA Root" that we already had, but that depends on the site sending a fairly
large chain of intermediate certificates which most aren't doing (because
there's no need because this newer one is in browser stores..).
|
| |
|
|
| |
req by and OK dlg, no objections in 5 days
|
| |
|
|
|
|
| |
C=FR, O=Certplus, CN=Class 2 Primary CA
req by beck@, ok miod@ beck@
|
| |
|
|
|
| |
needed for fetching ports distfiles.
ok sthen@
|
| |
|
|
|
|
| |
"O=Digital Signature Trust Co., CN=DST Root CA X3". This CA is cross signing
the issuing intermediates for letsencrypt.org so is expected to be important
for at least ports distfile fetching in the future. ok ajacoutot@ juanfra@
|
| | |
|
|
|
as configuration files; split manpages and .pc files between libcrypto and
libssl.
No functional change, only there to make engineering easier, and libcrypto
sources are still found in libssl/src/crypto at the moment.
ok reyk@, also discussed with deraadt@ beck@ and the usual crypto suspects.
|
