On Fri, 2016-02-12 at 11:42 +0100, Kai Engert wrote: > On Tue, 2016-02-09 at 22:51 +1000, Jonathan Wilson wrote: > > OpenSSL has a s_client command that allows you to pull the certificates a > > web page sends and verify the chain of trust against whatever root CA store > > OpenSSL is using. Is there a way to do something similar for NSS? i.e. pull > > the certificates a web page sends and validate them against the current set > > of Mozilla root certificates? > > > > And if there is, where do I get it from and how do I compile it? (if its > > one of the standard utilities in NSS, how do I compile those?) > > If you use a Linux distribution, you can probably get a package that already > contains the tools. On fedora it's nss-tools > > We have test utilities, that are primarily used as part of the NSS test suite, > and which (at least on Fedora) are shipped in a separate "unsupported-tools" > directory, but they can do what you want. > > On Fedora, you can execute > /usr/lib64/nss/unsupported-tools/vfyserv www.yourhost > > which will attempt to validate the server's cert against the CA trust > list that comes with NSS (from the libnssckbi.so module).
Hm, is that really true, on Fedora? Let's back up for a moment and contemplate just how bizarre it is to have *different* trust roots depending on which crypto library you happen to build your application with today. That situation is insane. And fixed, in Fedora at least. So if you use vfyserv on Fedora, won't you be using the *same* set of trusted CAs that OpenSSL and GnuTLS both use? Because libnssckbi.so (by default) is actually provided by p11-kit-trust.so. So it might not be *quite* what the OP had in mind. Although the OP didn't say that they were using Fedora. And other Linux distributions have been slow to catch up with fixing the one-CA-database-per-library insanity. (Debian has had update-ca-certificates for ages but it's never actually worked across the board). -- David Woodhouse Open Source Technology Centre david.woodho...@intel.com Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
