certutils from libnss3-tools - man page contradicts Mozilla's
Bug #1586538 reported by
DiagonalArg
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
NSS |
New
|
Unknown
|
|||
nss (Ubuntu) |
Triaged
|
Undecided
|
Unassigned |
Bug Description
Description of certuitls here:
https:/
contradicts the man page here:
http://
In the former "-t p" is "prohibited (explicitly distrusted)". In the latter, it's "Valid peer".
I'm listing it as a security vuln, because someone could do mistakenly do the wrong thing.
information type: | Private Security → Public Security |
Changed in nss: | |
importance: | Unknown → Medium |
status: | Unknown → New |
Changed in nss (Ubuntu): | |
status: | New → Triaged |
Changed in nss: | |
importance: | Medium → Unknown |
To post a comment you must log in.
Could you please report this issue to Mozilla? Based on a quick look of our source code and manpage I think our manpages correctly document the situation:
lib/certdb/certdb.c
SECStatus tString( CERTCertTrust *trust, const char *trusts)
CERT_DecodeTrus
{
unsigned int i;
unsigned int *pflags;
if (!trust) {
PORT_SetError( SEC_ERROR_ INVALID_ ARGS); >emailFlags = 0; >objectSigningF lags = 0;
PORT_SetError( SEC_ERROR_ INVALID_ ARGS);
return SECFailure;
}
trust->sslFlags = 0;
trust-
trust-
if (!trusts) {
return SECFailure;
}
pflags = &trust->sslFlags;
for (i=0; i < PORT_Strlen( trusts) ; i++) {
*pflags = *pflags | CERTDB_ TERMINAL_ RECORD;
break;
switch (trusts[i]) {
case 'p':
case 'P':
*pflags = *pflags | CERTDB_TRUSTED | CERTDB_ TERMINAL_ RECORD;
break;
lib/certdb/certdb.h
typedef unsigned int __CERTDB_VALID_PEER __attribute_ _((deprecated VALID_PEER is now CERTDB_ TERMINAL_ RECORD" )));
("CERTDB_
There's a chance that "valid peer" is really being used to mean "not trusted for this particular feature" but that feels strange.
Thanks