It could be interesting to note that extracting all the cacerts from your local Firefox installation isn’t that tricky, if you just use some of the magic that are at hand with the NSS certutil tool.
Users of OpenSSL or GnuTLS based tools or libraries (such as libcurl) might be pleased to learn this.
curl users in general of course should be aware that we no longer ship any ca-cert bundle with curl (as of curl 7.18.1), as it seems some ports haven’t yet updated or discovered this.
Update: this script is now present as lib/firefox-db2pem.sh in the curl CVS repository.
I happened to read the blog post called Open-Source Security Idiots which really is having a go at the poor Debian maintainer of OpenSSL for causing the recent much debated OpenSSL security problem in Debian and Debian-based distros.
While I think the author Steven J. Vaughan-Nichols is mostly correct about his criticism, I think he’s being far too specific and trying to pinpoint Debian and claiming that to be a single specific bad distro (and his additional confused complaint on Firefox vs Iceweasel just made the article lose focus).
As someone who’s involved in a bunch of projects that are being packed by a range of Linux distros, I can’t but to disagree. This habit of changing packages without passing the changes upstream is wide-spread and not limited to changes done by maintainers since it also includes mere bug reports. It is something that just about every distro is doing to at least some extent. It varies from package to package and over time, but given an overview I honestly can’t say that there’s a single specific distro that is worse than the others. It is a disease that follows the distros and we must all help out to exterminate it.
Of course, the upstream projects also need to be aware of this and help pushing packagers of their software to behave.
yassl is a (in comparison) small SSL/TLS library that libcurl can be built to use instead of using one of the other SSL/TLS libraries libcurl supports (OpenSSL, GnuTLS, NSS and QSSL). However, yassl differs somewhat from the others in the way that it provides an OpenSSL-emulating API layer so that in libcurl we pretty much use exactly the same code for OpenSSL as we do for yassl.
yassl claimed this libcurl support for several years ago and indeed libcurl builds fine with it and you can even do some basic SSL operations with it, but the emulation is just not good enough to let the curl test suite go through so lots of stuff breaks when libcurl is built with yassl.
I did this same test 15 months ago and it had roughly the same problems then.
As far as I know, the other three main libraries are much more stable (the QSSL/QsoSSL library is only available on the AS/400 platform and thus I don’t personally know much about how it performs) and thus they remain the libraries I recommend users to select from if they want something that’s proven working.
The popular ca extract service on the curl web site converts the Firefox ca certs into a PEM file suitable for use with curl, wget or anything else OpenSSL-based that likes PEM formatted CA cert bundles.
The main script was fixed yesterday as it was previously getting a nightly source code snapshot to get the “magic” file to convert from, but I noticed they stopped updating the nightly source snapshots a good while ago so the updates had stopped!
Now, the script only gets the actually needed certdata file and converts it, so now it downloads a lot less data in vain and it also thus runs much faster. Now the PEM files offered on that page are up-to-date with the most recent Firefox.