UpdCaCert released

I have released the UpdCaCert application, whose aim is to facilitate maintaining the InetDBase:CertData file. That file is used by various applications that do secure transfers, to check the certificate chain for validity. Examples of software that use the file are AcornSSL and all its users (FTPc, AntiSpam, NewsHound, etc.) and curl.

UpdCaCert only updates the file if a newer one is available, so as not to load the server excessively; and it maintains the previous CertData file, if one exists, as a backup.

The application works under RISC OS 4, 5 and 6, on native hardware and under emulation.

I am grateful to Dave Symes for his help in getting UpdCaCert to work on the older versions of OS and with HostFS.

You can download UpdCaCert from my web site: https://davehigton.me.uk

Thanks Dave. I had to update my version of Curl using PackMan as I got half an error message displayed in the app’s window, but after that it worked fine. One point though, if a log file isn’t set in !Run you get an error reported in Reporter of “Message: System variable ‘UpdCaCert$LogFile’ not found”. The app still works though :)

@Dave: After an update of InetDBase:CertData, could/should it also be copied to

<Netsurf$Dir>.Resources>.ca-bundle
<CaCertificates$Dir>.ca_certificates/crt

if they exist and are are older?
Then it would cover many more applications.

@Andrew: Reporter will display all errors that are raised … even though many of them are then handled by the application, as in this case.

Interesting point, Martin. On my system

<CaCertificates$Dir>.ca_certificates/crt

is supplied by the CaCertificates package. Should something else trample on this? I might report a problem quoting CaCertificates 1.00-3 for instance but the file is no longer as supplied by that package.

could/should it also be copied to

Do you really want to maintain multiple copies of the identical file in different places?

My reaction is to get any other users to use InetDBase:CertData.

The NetSurf team have agreed that it’s a good idea to use it rather than their own (which, I pointed out to them, was a very long way out of date) and only revert to their own if InetDBase:CertData couldn’t be found.

supplied by the CaCertificates package

Who provides this, and what uses it?

I couldn’t find any users on my system here, so I deleted it some months ago.

if a log file isn’t set in !Run you get an error reported in Reporter of “Message: System variable ‘UpdCaCert$LogFile’ not found”

I’d be most interested to see how that happens. It doesn’t happen for me here, on either of two systems. I thought I’d prevented it pretty centrally.

Edit: Ah, I see, it’s Reporter giving the message. I hadn’t twigged that. Well, it isn’t an error. I look for the variable; if it exists, I try to log to it; if it doesn’t exist, I don’t try to log at all.

Does anyone see that as an error?

Who provides this, and what uses it?

The CaCertificates package is from riscos.info

PackMan certainly.

I think we are waiting on a new PackMan build using the new ssl libs libcurl that picks up InetDBase:CertData

https://www.riscosopen.org/forum/forums/5/topics/16819#posts-127294

Does anyone see that as an error?

Nope. Even Reporter is reporting it as a “message”, not an error.

I agree that it would be far better for all to use the one in InetDBase … but until the others are not used, surely it would be better to ensure they are up to date? Hence why I said to update only them if they exist.

Does anyone see that as an error?

Only Reporter will display it as an error raised.

If there was only one place for Cert the Progs which didn’t use it would complain and then could be patched.

I would prefer Netsurf worked until it was changed!

I would prefer Netsurf worked until it was changed!

I’ve read that sentence so many times, but I still don’t understand it.

until the others are not used, surely it would be better to ensure they are up to date?

I’m nailing my colours to the mast here. I’m trying to apply pressure to centralise the resource as InetDBase:CertData. As such, I’m not going to contribute to any proliferation of copies of the same data.

It should be no problem for anyone who takes a different view. Either:

• look at the result of running UpdCaCert when it’s run manually, and copy the file when UpdCaCert says it has succeeded; or
• UpdCaCert is distributed in source form; everyone is at liberty to add their own code to copy the file to other location(s).

I’m nailing my colours to the mast here. I’m trying to apply pressure to centralise the resource as InetDBase:CertData. As such, I’m not going to contribute to any proliferation of copies of the same data.

+1

This has come up several times, the specific item of code/config changes. My comment doesn’t: “There can be only one”
What was it last time?
Multiple Mime files, or was it the library in the test browser that breaks other items because of its load method?

“There can be only one”

Hopefully by this time next year, there will be only one (and it will be InetDBase:CertData, and there will be a nice package to update it). Fingers crossed, eh?

I would prefer Netsurf worked until it was changed!

I’ve read that sentence so many times, but I still don’t understand it.

Sorry, perhaps it was a little cryptic. Let me try again…
I want Netsurf to work with the an up-to-date CertData, until it uses the InetDBase version. Then I will very happily remove the Netsurf version, if it is not automatically deleted. I do not want Netsurf to use an out-of-date CertData until then (whenever that is).
And thanks for helping it to be sooner rather than later!

Well, here’s a new and interesting finding. I looked through NetSurf’s folder for its cert bundle, and found that I had renamed it some time ago. That means NS can’t have been using it. So I deleted the bundle completely from NS, rebooted, accessed a couple of https sites, shut NS down, and looked at the log. It references InetDBase:CertData! Not only that, but it’s its first choice, not a consequence of a failure to find its own bundle.

So NetSurf already works properly. Tested with Dev CI #5313. Anyone else can do the same tests.

The list of apps that use anything else seems to be rapidly shrinking.

@Dave: Punters (and system integrators) aren’t really very likely to download bleeding-edge builds, though; NetSurf 3.10 still needs its old ca-bundle file. We need to gently prod the NetSurf team into creating a new release…

Hopefully by this time next year, there will be only one (and it will be InetDBase:CertData, and there will be a nice package to update it). Fingers crossed, eh?

Well, Dave has done a super job on the updater. It might be redundant when someone gets around to finishing the new stack and putting into a release, but in the meantime it should be welcomed by all – including the NetSurf team, as you point out, sorta.

@Dave: is there the intention to also have this available via PackMan repositories?

Thanks.

is there the intention to also have this available via PackMan repositories?

I’ve never gone down that route. What I’ve read of other people’s experiences leaves me very much with the impression that packaging creates as many problems as it solves. (This isn’t the thread to restart the arguments.)

I’ve also not gone down the PlingStore route because a web site seems to provide much richer information.

And there’s the problem that UpdCaCert is there to solve: one true source. All my stuff will remain on my web site. I don’t want to try to remember to keep other copies up to date.

So NetSurf already works properly. Tested with Dev CI #5313. Anyone else can do the same tests.

I have done the test and it does not work here.

On a Titanium, RISC OS 5.29 (07 Nov 2021), NetSurf 3.11 (Dev CI #5313)

Delete certificates file !NetSurf.Resources.ca-bundle

An error occurred when connecting to www.riscosopen.org

Problem with the SSL CA cert (path? access rights?)

An inspection of NetSurf’s xpand'd !RunImage shows no calls to InetDBase:CertData and there is nothing of the sort in the log.

There is only one instance of NetSurf:Resources.ca-bundle which can be overwritten with a zero terminated InetDBase:CertData. That does work.

It would be relatively simple to add that to the sources, check if the ROOL construct is present and if not use the internal version. NetSurf is intended to work on OS4.02 and later.

An inspection of NetSurf’s xpand’d !RunImage shows no calls to InetDBase:CertData and there is nothing of the sort in the log.

True, nor is there any mention of CertData in the current NetSurf source. But you can get existing NetSurf to use the InetDBase:CertData file by adding the line

ca_bundle:InetDBase:CertData

in Choices:WWW.NetSurf.Choices. That works for me with NetSurf 3.10, even if I delete the NetSurf:Resources.ca-bundle file.

If ca_bundle is null it defaults to the one in the NetSurf folder.

nsoption_setnull_charp(ca_bundle, strdup("NetSurf:Resources.ca-bundle"));