LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

LWN.net Weekly Edition for June 6, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The patch is out

The patch is out

Posted Aug 30, 2011 19:17 UTC (Tue) by cesarb (subscriber, #6266)
Parent article: Fraudulent *.google.com certificate issued

According to https://bugzilla.mozilla.org/show_bug.cgi?id=682956#c18 the patch is now in the Mercurial repository (http://hg.mozilla.org/releases/mozilla-release/rev/436365...).

Interesting things from the patch (please correct me if I got anything wrong):

1. The true bug number is 682927. Looking at the preceding and following bug reports, it was created between 2011-08-29 11:59 PDT and 2011-08-29 12:05 PDT.
2. Certificates from the "DigiNotar Root CA" issued after "01-JUL-2011 00:00" are blacklisted, and the user cannot override this.
3. Certificates issued by "Staat der Nederlanden Root CA" (and which do not fall into the previous rule) are still trusted by default, according to a code comment, "By request of the Dutch government".
4. Other DigiNotar certificates are considered untrusted by default (but the user can override this according to the comments, probably the same way a user can trust a self-signed certificate).

(Log in to post comments)

The patch is out

Posted Aug 30, 2011 23:39 UTC (Tue) by lkundrak (subscriber, #43452) [Link] 

    1.55 +    return 0; // No DigiNotor cert => carry on as normal
This is an amusing typo (?)

And the bug report is now open

Posted Aug 31, 2011 12:36 UTC (Wed) by cesarb (subscriber, #6266) [Link]

https://bugzilla.mozilla.org/show_bug.cgi?id=682927

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds