UpdCaCert released
Pages: 1 2
Dave Higton (1515) 3526 posts |
I have released the UpdCaCert application, whose aim is to facilitate maintaining the InetDBase:CertData file. That file is used by various applications that do secure transfers, to check the certificate chain for validity. Examples of software that use the file are AcornSSL and all its users (FTPc, AntiSpam, NewsHound, etc.) and curl. UpdCaCert only updates the file if a newer one is available, so as not to load the server excessively; and it maintains the previous CertData file, if one exists, as a backup. The application works under RISC OS 4, 5 and 6, on native hardware and under emulation. I am grateful to Dave Symes for his help in getting UpdCaCert to work on the older versions of OS and with HostFS. You can download UpdCaCert from my web site: https://davehigton.me.uk |
Andrew Conroy (370) 740 posts |
Thanks Dave. I had to update my version of Curl using PackMan as I got half an error message displayed in the app’s window, but after that it worked fine. One point though, if a log file isn’t set in !Run you get an error reported in Reporter of “Message: System variable ‘UpdCaCert$LogFile’ not found”. The app still works though :) |
Martin Avison (27) 1494 posts |
@Dave: After an update of InetDBase:CertData, could/should it also be copied to <Netsurf$Dir>.Resources>.ca-bundle if they exist and are are older? @Andrew: Reporter will display all errors that are raised … even though many of them are then handled by the application, as in this case. |
Stuart Swales (8827) 1357 posts |
Interesting point, Martin. On my system <CaCertificates$Dir>.ca_certificates/crt is supplied by the CaCertificates package. Should something else trample on this? I might report a problem quoting CaCertificates 1.00-3 for instance but the file is no longer as supplied by that package. |
Dave Higton (1515) 3526 posts |
Do you really want to maintain multiple copies of the identical file in different places? My reaction is to get any other users to use InetDBase:CertData. The NetSurf team have agreed that it’s a good idea to use it rather than their own (which, I pointed out to them, was a very long way out of date) and only revert to their own if InetDBase:CertData couldn’t be found. |
Dave Higton (1515) 3526 posts |
Who provides this, and what uses it? I couldn’t find any users on my system here, so I deleted it some months ago. |
Dave Higton (1515) 3526 posts |
I’d be most interested to see how that happens. It doesn’t happen for me here, on either of two systems. I thought I’d prevented it pretty centrally. Edit: Ah, I see, it’s Reporter giving the message. I hadn’t twigged that. Well, it isn’t an error. I look for the variable; if it exists, I try to log to it; if it doesn’t exist, I don’t try to log at all. Does anyone see that as an error? |
Stuart Swales (8827) 1357 posts |
The CaCertificates package is from riscos.info PackMan certainly. I think we are waiting on a new PackMan build using the new https://www.riscosopen.org/forum/forums/5/topics/16819#posts-127294 |
Chris Mahoney (1684) 2165 posts |
Nope. Even Reporter is reporting it as a “message”, not an error. |
Martin Avison (27) 1494 posts |
I agree that it would be far better for all to use the one in InetDBase … but until the others are not used, surely it would be better to ensure they are up to date? Hence why I said to update only them if they exist.
Only Reporter will display it as an error raised. |
Colin Ferris (399) 1814 posts |
If there was only one place for Cert the Progs which didn’t use it would complain and then could be patched. |
Martin Avison (27) 1494 posts |
I would prefer Netsurf worked until it was changed! |
Dave Higton (1515) 3526 posts |
I’ve read that sentence so many times, but I still don’t understand it. |
Dave Higton (1515) 3526 posts |
I’m nailing my colours to the mast here. I’m trying to apply pressure to centralise the resource as InetDBase:CertData. As such, I’m not going to contribute to any proliferation of copies of the same data. It should be no problem for anyone who takes a different view. Either:
|
Steve Pampling (1551) 8170 posts |
+1 This has come up several times, the specific item of code/config changes. My comment doesn’t: “There can be only one” |
Stuart Swales (8827) 1357 posts |
Hopefully by this time next year, there will be only one (and it will be InetDBase:CertData, and there will be a nice package to update it). Fingers crossed, eh? |
Martin Avison (27) 1494 posts |
Sorry, perhaps it was a little cryptic. Let me try again… |
Dave Higton (1515) 3526 posts |
Well, here’s a new and interesting finding. I looked through NetSurf’s folder for its cert bundle, and found that I had renamed it some time ago. That means NS can’t have been using it. So I deleted the bundle completely from NS, rebooted, accessed a couple of https sites, shut NS down, and looked at the log. It references InetDBase:CertData! Not only that, but it’s its first choice, not a consequence of a failure to find its own bundle. So NetSurf already works properly. Tested with Dev CI #5313. Anyone else can do the same tests. The list of apps that use anything else seems to be rapidly shrinking. |
Stuart Swales (8827) 1357 posts |
@Dave: Punters (and system integrators) aren’t really very likely to download bleeding-edge builds, though; NetSurf 3.10 still needs its old |
Steve Pampling (1551) 8170 posts |
Well, Dave has done a super job on the updater. It might be redundant when someone gets around to finishing the new stack and putting into a release, but in the meantime it should be welcomed by all – including the NetSurf team, as you point out, sorta. |
Matthew Harris (1462) 36 posts |
@Dave: is there the intention to also have this available via PackMan repositories? Thanks. |
Dave Higton (1515) 3526 posts |
I’ve never gone down that route. What I’ve read of other people’s experiences leaves me very much with the impression that packaging creates as many problems as it solves. (This isn’t the thread to restart the arguments.) I’ve also not gone down the PlingStore route because a web site seems to provide much richer information. And there’s the problem that UpdCaCert is there to solve: one true source. All my stuff will remain on my web site. I don’t want to try to remember to keep other copies up to date. |
David Pitt (3386) 1248 posts |
I have done the test and it does not work here. On a Titanium, RISC OS 5.29 (07 Nov 2021), NetSurf 3.11 (Dev CI #5313) Delete certificates file An error occurred when connecting to www.riscosopen.org Problem with the SSL CA cert (path? access rights?) An inspection of NetSurf’s
|
Stuart Swales (8827) 1357 posts |
True, nor is there any mention of
in |
Chris Gransden (337) 1207 posts |
If ca_bundle is null it defaults to the one in the NetSurf folder.
|
Pages: 1 2