This is tha same update as #2740 (for 3.2).
Despite using ``./utils/create_ca_hashes.sh`` git claims ``ca_hashes.txt`` hasn't changed here too.
This fixes#2739.
Same as #2528, only for the 3.0 branch.
- Mozilla: 2024-7-02
- Debian 12, ca-certificates from 20230311
- JDK 21.04
- Apple via https://github.com/apple-oss-distributions/security_certificates (according to git log latest change Fri Dec 15 00:44:35 2023)
- Microsoft via CertUtil (date of this PR)
Modified Readme to reflect that the Apple CA certificates are better to retrieve from GH and clarified minor things.
This also fixes#2525 (for 3.0), where >=2 certificates were missing.
see #2169, #2168
Added:
* Safari for macOS
* Java 17 LTS
* OpenSSL 3.0.3
* Android 11 and 12
* Go client (1.17)
* Firefox 100, Chrome and Edge 101 using Win10
* Thunderbird 91.9
* AppleMail
* LibreSSL from MacOS
* disabled Java 12 and Safari on OS X 10.12
* disabled Android < 6.0
* documention update how to add a client simulation
* add curves-mapping.txt file
Newer configuration files from openssl may include statements
which aren't compatible with our supplied old openssl version.
This commit adds an autodetection of such a file and uses a
openssl.cnf provided by this project then.
The openssl.cnf is from a Debian Jessie package.
See also #1987
* also ca_hashes.txt
* Used Java SDK 15 instead of JRE 8
* Used Windows 10 20H2
* Java Keystore has added 5 certificates (90 --> 95)
Updated Readme and make instructions more reproducible
Fixes#1772
to 1.1.0l and 1.1.1d. Seems that for the latter TLS 1.0 and 1.1
are disabled now, looking at the supported version extension.
However on the command line an s_client connect works. So
this commit need to be amended.
The ciphersuites string for Safari 13.0 ends with a colon (':'). which causes OpenSSL to reject the command line when client simulation testing is performed in --ssl-native mode. This PR fixes the problem by removing the trailing colon.
According to MS this is the latest which is from July 2019.
This is the biggest CA store (probably a lot of intermediate
certificates in there).
This was pulled from MS as described in the Readme.md . It
is exactly the same whether CertUtil will be run from Windows 7
(almost: RIP) or Windows 10.
Other than before teh Java store was extracted directly from a keystore
from a Java JRE from https://jdk.java.net/.
The Debian keystore used previously used the certificates from the Debian
machine itself (installation script in ``/etc/ca-certificates/update.d/``.
Check with ``keytool -list -rfc -keystore /etc/ssl/certs/java/cacerts | grep -i 'alias'``
As a consequence this store contains less certificates:
etc/Java.pem:90
etc/Linux.pem:128
and needs some testing whether it really should be still included.
In some rare cases a server does not support any of the ciphers in $TLS12_CIPHER, but does support at least one cipher in $TLS12_CIPHER_2ND_TRY. In such cases, TLS12_CIPHER should be changed to $TLS12_CIPHER_2ND_TRY so that subsequent tests using $TLS12_CIPHER will succeed.
