Merge pull request 'Corrected language. This is the New Client Certificate page, but has the New Server Certificate language.' (!19) from bug-1559 into main

Reviewed-on: #19
Reviewed-by: Jan Dittberner <jandd@cacert.org>
Reviewed-by: Kim Nilsson <knilsson@cacert.org>
Reviewed-by: Dirk Astrath <dirk@cacert.org>

.gitignore

@@ -5,3 +5,14 @@
 
 # Ignore file with the account data
 /password.dat
+
+/CommModule/*-active
+/CommModule/logfile*txt
+/CommModule/nohup.out
+/CommModule/serialserver.conf
+/crt/
+/csr/
+/locale/cv
+/pages/index/feed.rss
+/www/*.crl
+/www/*.crl.patch

CommModule/server.pl

@@ -12,7 +12,7 @@ use File::CounterFile;
 use Time::HiRes q(usleep);
 use IPC::Open3;
 use File::Copy;
-use Digest::SHA1 qw(sha1_hex);
+use Digest::SHA qw(sha1_hex);
 
 #Protocol version:
 my $ver=1;

includes/account.php

@@ -156,7 +156,7 @@ function buildSubjectFromSession() {
 		$emailid = mysql_insert_id();
 
 		$body = _("Below is the link you need to open to verify your email address. Once your address is verified you will be able to start issuing certificates to your heart's content!")."\n\n";
-		$body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n";
+		$body .= "https://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n";
 		$body .= _("Best regards")."\n"._("CAcert.org Support!");
 
 		sendmail($_REQUEST['email'], "[CAcert.org] "._("Email Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
@@ -253,7 +253,8 @@ function buildSubjectFromSession() {
 		if(!(array_key_exists('addid',$_REQUEST) && is_array($_REQUEST['addid'])) && $_REQUEST['SSO'] != '1')
 		{
 			showheader(_("My CAcert.org Account!"));
-			echo _("I didn't receive a valid Certificate Request, hit the back button and try again.");
+			?><p><?= _("I didn't receive a valid Certificate Request, hit the back button and try again."); ?></p>
+			<p><?= _("You did not select any email address and did not check the SSO option."); ?></p><?
 			showfooter();
 			exit;
 		}
@@ -495,8 +496,13 @@ function buildSubjectFromSession() {
 						`disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."',
 						`rootcert`='".intval($_SESSION['_config']['rootcert'])."',
 						`md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
-						`description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
-			mysql_query($query);
+						`description`='".mysql_real_escape_string($_SESSION['_config']['description'])."',
+						`coll_found`=0";
+
+			if (!mysql_query($query)) {
+				trigger_error("Query failed: " . mysql_errno() . ": " . mysql_error(), E_USER_ERROR);
+			}
+
 			$emailid = mysql_insert_id();
 			if(is_array($addys))
 			foreach($addys as $addy)
@@ -514,7 +520,7 @@ function buildSubjectFromSession() {
 		{
 			$id = 4;
 			showheader(_("My CAcert.org Account!"));
-			printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
+			printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
 			showfooter();
 			exit;
 		} else {
@@ -665,7 +671,7 @@ function buildSubjectFromSession() {
 		$domainid = mysql_insert_id();
 
 		$body = sprintf(_("Below is the link you need to open to verify your domain '%s'. Once your address is verified you will be able to start issuing certificates to your heart's content!"),$_SESSION['_config']['domain'])."\n\n";
-		$body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=domain&domainid=$domainid&hash=$hash\n\n";
+		$body .= "https://".$_SESSION['_config']['normalhostname']."/verify.php?type=domain&domainid=$domainid&hash=$hash\n\n";
 		$body .= _("Best regards")."\n"._("CAcert.org Support!");
 
 		sendmail($authaddy, "[CAcert.org] "._("Email Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
@@ -777,7 +783,7 @@ function buildSubjectFromSession() {
 		if(!file_exists($_SESSION['_config']['tmpfname']))
 		{
 			showheader(_("My CAcert.org Account!"));
-			printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
+			printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
 			showfooter();
 			exit;
 		}
@@ -852,7 +858,7 @@ function buildSubjectFromSession() {
 		{
 			$id = 11;
 			showheader(_("My CAcert.org Account!"));
-			printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
+			printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
 			showfooter();
 			exit;
 		} else {
@@ -938,7 +944,7 @@ function buildSubjectFromSession() {
 				$res = mysql_query($query);
 				if(mysql_num_rows($res) <= 0)
 				{
-					printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
+					printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
 				} else {
 					$drow = mysql_fetch_assoc($res);
 					$crt_name = escapeshellarg($drow['crt_name']);
@@ -1102,7 +1108,7 @@ function buildSubjectFromSession() {
 				$res = mysql_query($query);
 				if(mysql_num_rows($res) <= 0)
 				{
-					printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
+					printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
 				} else {
 					printf(_("Certificate for '%s' has been renewed."), $row['CN']);
 					echo "<br/>\n<a href='account.php?id=6&cert=$newid' target='_new'>".
@@ -1656,7 +1662,7 @@ function buildSubjectFromSession() {
 		if(mysql_num_rows($res) <= 0)
 		{
 			showheader(_("My CAcert.org Account!"));
-			printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
+			printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
 			showfooter();
 			exit;
 		} else {
@@ -1912,7 +1918,7 @@ function buildSubjectFromSession() {
 		if(!file_exists($_SESSION['_config']['tmpfname']))
 		{
 			showheader(_("My CAcert.org Account!"));
-			printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
+			printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
 			showfooter();
 			exit;
 		}
@@ -2010,7 +2016,7 @@ function buildSubjectFromSession() {
 		if(mysql_num_rows($res) <= 0)
 		{
 			showheader(_("My CAcert.org Account!"));
-			printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." CSRid: $CSRid", "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
+			printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." CSRid: $CSRid", "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
 			showfooter();
 			exit;
 		} else {
@@ -2082,7 +2088,7 @@ function buildSubjectFromSession() {
 				$res = mysql_query($query);
 				if(mysql_num_rows($res) <= 0)
 				{
-					printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." newid: $newid", "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
+					printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." newid: $newid", "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
 				} else {
 					$drow = mysql_fetch_assoc($res);
 					$crtname = escapeshellarg($drow['crt_name']);
@@ -2892,7 +2898,7 @@ function buildSubjectFromSession() {
 		if(mysql_num_rows($res) <= 0)
 		{
 			showheader(_("My CAcert.org Account!"));
-			printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
+			printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='https://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
 			showfooter();
 			exit;
 		} else {

includes/lib/account.php

@@ -120,7 +120,7 @@ class HashAlgorithms {
 		return array(
 				'sha256' => array(
 						'name' => 'SHA-256',
-						'info' => _('Currently recommended, because the other algorithms might break on some older versions of the GnuTLS library (older than 3.x) still shipped in Debian for example.'),
+						'info' => '',
 					),
 				'sha384' => array(
 						'name' => 'SHA-384',
@@ -128,7 +128,7 @@ class HashAlgorithms {
 					),
 				'sha512' => array(
 						'name' => 'SHA-512',
-						'info' => _('Highest protection against hash collision attacks of the algorithms offered here.'),
+						'info' => '',
 					),
 			);
 	}

includes/lib/general.php

@@ -1,6 +1,6 @@
 <? /*
     LibreSSL - CAcert web application
-    Copyright (C) 2004-2011  CAcert Inc.
+    Copyright (C) CAcert Inc.
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -16,32 +16,91 @@
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 */
 
+/**
+ * Walk through the email address environment variables that Apache httpd
+ * might have set and put them into an array.
+ *
+ * The function ensures that unique addresses are returned.
+ *
+ * @return array
+ */
+function get_email_addresses_from_client_cert() {
+	$addresses = array();
+	$maxAddresses = 10; // implement a hard boundary to avoid endless loop
+
+	// try SAN email addresses first
+	$envNameBase = "SSL_CLIENT_SAN_Email";
+	for ($i = 0; $i <= $maxAddresses; $i++) {
+		$envName = sprintf("%s_%d", $envNameBase, $i);
+		if (!array_key_exists($envName, $_SERVER)) {
+			break;
+		}
+		$addresses[] = $_SERVER[$envName];
+	}
+
+	if (count($addresses) > 0) {
+		return array_unique($addresses);
+	}
+
+	// fallback for older Apache httpd versions that do not support email SAN fields
+	$envNameBase = "SSL_CLIENT_S_DN_Email";
+
+	if (array_key_exists($envNameBase, $_SERVER)) {
+		$addresses[] = $_SERVER[$envNameBase];
+	}
+
+	for ($i = 1; $i <= $maxAddresses; $i++) {
+		$envName = sprintf("%s_%d", $envNameBase, $i);
+		if (array_key_exists($envName, $_SERVER)) {
+			$addresses[] = $_SERVER[$envName];
+		}
+	}
+
+	return array_unique($addresses);
+}
+
 /**
  * Checks if the user may log in and retrieve the user id
  *
  * Usually called with $_SERVER['SSL_CLIENT_M_SERIAL'] and
- * 	$_SERVER['SSL_CLIENT_I_DN_CN']
+ *    $_SERVER['SSL_CLIENT_I_DN_CN']
  *
  * @param $serial string
- * 	usually $_SERVER['SSL_CLIENT_M_SERIAL']
+ *    usually $_SERVER['SSL_CLIENT_M_SERIAL']
  * @param $issuer_cn string
- * 	usually $_SERVER['SSL_CLIENT_I_DN_CN']
+ *    usually $_SERVER['SSL_CLIENT_I_DN_CN']
+ * @param $addresses array
+ *  list of email addresses from the certificate
  * @return int
- * 	the user id, -1 in case of error
+ *    the user id, -1 in case of error
+ *
+ * @see get_email_addresses_from_client_cert()
  */
-function get_user_id_from_cert($serial, $issuer_cn)
-{
-	$query = "select `memid` from `emailcerts` where
-			`serial`='".mysql_escape_string($serial)."' and
-			`rootcert`= (select `id` from `root_certs` where
-				`Cert_Text`='".mysql_escape_string($issuer_cn)."') and
-			`revoked`=0 and disablelogin=0 and
-			UNIX_TIMESTAMP(`expire`) - UNIX_TIMESTAMP() > 0";
+function get_user_id_from_cert($serial, $issuer_cn, $addresses) {
+	$addresses_for_sql = array_map('mysql_real_escape_string', $addresses);
+
+	$query = sprintf("SELECT DISTINCT ec.`memid`
+FROM `emailcerts` ec
+         JOIN root_certs r ON r.id = ec.rootcert
+         JOIN email e ON ec.memid = e.memid
+WHERE ec.serial = '%s'
+  AND r.`Cert_Text` = '%s'
+  AND e.email IN ('%s')
+  AND ec.revoked = 0
+  AND ec.disablelogin = 0
+  AND UNIX_TIMESTAMP(ec.expire) > UNIX_TIMESTAMP()", mysql_real_escape_string($serial),
+		mysql_real_escape_string($issuer_cn), implode("', '", $addresses_for_sql));
+
 	$res = mysql_query($query);
-	if(mysql_num_rows($res) > 0)
-	{
-		$row = mysql_fetch_assoc($res);
-		return intval($row['memid']);
+	if ($res === false) {
+		trigger_error(sprintf("MySQL error %d: %s", mysql_errno(), mysql_error()));
+
+		return -1;
+	}
+
+	if (mysql_num_rows($res) === 1) {
+		$row = mysql_fetch_row($res);
+		return intval($row[0]);
 	}
 
 	return -1;

includes/loggedin.php

@@ -54,7 +54,7 @@
 	if($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'] && ($_SESSION['profile']['id'] == 0 || $_SESSION['profile']['loggedin'] == 0))
 	{
 		$user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'],
-				$_SERVER['SSL_CLIENT_I_DN_CN']);
+				$_SERVER['SSL_CLIENT_I_DN_CN'], get_email_addresses_from_client_cert());
 
 		if($user_id >= 0)
 		{

includes/sponsorinfo.php

@@ -1,8 +1,6 @@
   <div class="sponsorinfo">
     <?=_("CAcert operations are sponsored by")?>
     <a href="http://www.bit.nl/" target="_blank"><img class="sponsorlogo" src="/images/bit.png" alt="[BIT logo]" border="0"></a>
-    <a href="http://www.tunix.nl/" target="_blank"><img class="sponsorlogo" src="/images/tunix.png" alt="[TUNIX logo]" border="0"></a>
     <a href="http://www.nlnet.nl/" target="_blank"><img class="sponsorlogo" src="/images/nlnet.png" alt="[NLnet logo]" border="0"></a>
-    <a href="http://www.openarchitecturenetwork.org/" target="_blank"><img class="sponsorlogo" src="/images/oan.png" alt="[OAN logo]" border="0"></a>
   </div>
 

locale/cv.c

@@ -1,102 +0,0 @@
-#include <stdio.h>
-#include <ctype.h>
-#include <stdlib.h>
-#include <string.h>
-typedef unsigned char uchar;
-typedef struct{char * nm; int v;} vp;
-vp vpl[] = {
-  {"nbsp", 160}, {"lt",0x3c}, {"amp", 38},
-  {"eacute", 233}, {"egrave", 232}, {"ouml", 246},
-  {"alpha", 0x3b1}, {"beta", 0x3b2}, {"gamma", 0x3b3},
-  {"delta", 0x3b4}, {"Delta", 0x394},
-  {"sigma", 0x3c3}, {"Sigma", 0x3a3},
-  {"epsilon", 0x3b5}, {"zeta", 0x3b6},
-  {"theta", 0x3b8}, {"mu", 0x3bc},
-  {"phi", 0x3c6},
-  {"omega", 0x3c9},
-  {"lambda", 0x3bb}, {"rho", 0x3c1},
-  {"pi", 0x3c0}, {"Pi", 0x3a0},
-  {"ndash", 0x2013}, {"mdash", 0x2014},
-  {"and", 8743}, {"rarr", 8594}, {"forall", 0x2200},
-  {"sum", 8721}};
-int cc = 0; // count of conversions.
-static void Utf(int m, uint a){
-    if (a & m) {Utf(m>>1, a>>6); putchar(128 | a & 63);}
-    else putchar((m<<1)&255 | a);}
-static void utf8(uint a){
-  if(a == '<') printf("%s", "&lt;");
-  else if(a == '&') printf("%s", "&amp;");
-  else if(a & -128) {++cc;
-  Utf(-32, a>>6); putchar(128 | a & 63);} else putchar(a);}
-char * em[] = {"", "tag", "quoted string", "utf", "character ref"};
-int lc = 1, cil = 0, tcc=0;
-char gc(int x){char c = getchar();
-  if(c == EOF && feof(stdin)) {
-     if(x) fprintf(stderr, "file ended in %s\n", em[x]);
-     fprintf(stderr, "Converted %d characters\n", cc);
-     exit(0);}
-  if(c == 10 || c == 13) {tcc += cil; cil = 0; ++lc;}
-  ++cil; return c;}
-void loc(){fprintf(stderr, "Ending at byte %d of line %d,"
-    "(or 0x%x in file):\n", cil, lc, tcc+cil);}
-char gx(){char c = gc(3); if ((c&0xc0) != 0x80)
-   {loc(); fprintf(stderr, "Bad utf8 extension byte: %02X\n", c);}
-   return c;}
-int main(int argc, char * * args){
-  int bk = argc == 2;
-  while(1){
-  int vx(int x){if((x & 0xffffffe0) == 0x80){
-     if(x == 150) return 8211;
-     if(x == 151) return 8212;
-     loc(); fprintf(stderr, "Invalid character: 0x%x=%d\n", x, x);}
-     return x;}
-  uchar c = gc(0);
-  if(c == '<'){putchar(c); while(1){char c = gc(1);
-     if(c == '"'){putchar(c); while(1){char c = gc(2);
-        if(c == '"'){putchar(c); break;}
-        else putchar(c);}}
-     else if(c == '>'){putchar(c); break;}
-     else putchar(c);}}
-  else if(bk && c > 127){int v=0, sc=0, C=c;  
-     while(C&0x40){C <<=1; v = (v<<6) | gx() & 0x3f; ++sc;}
-     {int uc = vx(v | (0x3f>>sc & (int)c) << 6*sc);
-       {int k = sizeof(vpl)/sizeof(vp);
-       while(k--) if(uc == vpl[k].v)
-         {printf("&%s;", vpl[k].nm); goto end;}}
-       printf("&#x%x;", uc);}
-       end: ++cc;}
-  else if(!bk && c == '&') {char c = gc(4);
-     int gs(char c, int r){
-         int vd(char c){if('0' <= c && c <= '9') return c - '0';
-            {char lc = tolower(c);
-            if(r == 16 && 'a' <= lc && lc <= 'f') return lc - 'a' + 10;
-            loc();
-            fprintf(stderr, "Invalid digit folowing \"&#\" construct.");
-            exit(0);
-            return 0;}}
-         int k = vd(c);
-         while(1){char c = gc(4); if(c == ';') return k;
-            k = r*k + vd(c);}}
-     if(c == '#') {char c = gc(4);
-        utf8(vx(c == 'x' || c == 'X' ? gs('0', 16) : gs(c, 10)));}
-     else {int k = sizeof(vpl)/sizeof(vp);
-        char st[10]; st[0] = c;
-           {int n; for(n=1; n<10; ++n) {char c = gc(4);
-             if(c == ';') goto e1;
-             if(!isalpha(c)) break;
-             st[n] = c;}
-          loc(); fprintf(stderr, "%s reference\n",
-            n>10?"Verbose":"Invalid");
-          continue;
-          e1: st[n] = 0;
-  //      loc(); fprintf(stderr, "string is <%s>.\n", st);
-          while(k--) if(!strcmp(st, vpl[k].nm)) {
-             utf8(vpl[k].v); break;}
-     if(k<0) {loc();
-        fprintf(stderr, "Unrecognized reference: &%s;\n", st);}}}}
-  else if(c > 127) {loc(); fprintf(stderr, "Non ASCII char.\n");}
-  else putchar(c);
-}
-return 0;
-}
-

pages/account/3.php

@@ -18,179 +18,155 @@
 	include_once("../includes/shutdown.php");
 ?>
 <h3><?=_("CAcert Certificate Acceptable Use Policy")?></h3>
-<p><?=_("Once you decide to subscribe for an SSL Server Certificate you will need to complete this agreement. Please read it carefully. Your Certificate Request can only be processed with your acceptance and understanding of this agreement.")?></p>
+<p><?=_("Once you decide to subscribe for an SSL Client Certificate you will need to complete this agreement. Please read it carefully. Your Certificate Request can only be processed with your acceptance and understanding of this agreement.")?></p>
 
-<p><?=_("I hereby represent that I am fully authorized by the owner of the information contained in the CSR sent to CAcert Inc. to apply for an Digital Certificate for secure and authenticated electronic transactions. I understand that a digital certificate serves to identify the Subscriber for the purposes of electronic communication and that the management of the private keys associated with such certificates is the responsibility of the subscriber's technical staff and/or contractors.")?></p>
+<p><?=_("I hereby represent that I am fully authorized by the owner of the information contained in the CSR sent to CAcert Inc. to apply for a Digital Certificate for secure and authenticated electronic transactions. I understand that a digital certificate serves to identify the Subscriber for the purposes of electronic communication and that the management of the private keys associated with such certificates is the responsibility of the subscriber's technical staff and/or contractors.")?></p>
 
-<p><?=_("CAcert Inc.'s public certification services are governed by a CPS as amended from time to time which is incorporated into this Agreement by reference. The Subscriber will use the SSL Server Certificate in accordance with CAcert Inc.'s CPS and supporting documentation published at")?> <a href="http://www.cacert.org/cps.php">http://www.cacert.org/cps.php</a></p>
+<p><?=_("CAcert Inc.'s public certification services are governed by a CPS as amended from time to time which is incorporated into this Agreement by reference. The Subscriber will use the SSL Client Certificate in accordance with CAcert Inc.'s CPS and supporting documentation published at")?> <a href="http://www.cacert.org/cps.php">http://www.cacert.org/cps.php</a></p>
 
 <p><?=_("If the Subscriber's name and/or domain name registration change the subscriber will immediately inform CAcert Inc. who shall revoke the digital certificate. When the Digital Certificate expires or is revoked the company will permanently remove the certificate from the server on which it is installed and will not use it for any purpose thereafter. The person responsible for key management and security is fully authorized to install and utilize the certificate to represent this organization's electronic presence.")?></p>
 
-<form method="post" action="account.php">
-<table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
-  <tr>
-    <td colspan="2" class="title"><?=_("New Client Certificate")?></td>
-  </tr>
-  <tr>
-    <td class="DataTD"><?=_("Add")?></td>
-    <td class="DataTD"><?=_("Address")?></td>
-  </tr>
+<h4><?= _("There is a new method for generating a CSR for this page.") ?></h5>
+<p><?= _("It is completely described in https://wiki.cacert.org/TutorialsHowto/Generate-new-CSR, which you should follow.  At the point where it says \"Copy CSR to Clipboard\" do that and come back to this page and paste the result into the textbox at the bottom of this page.") ?></p>
+<p><a href='https://community.cacert.org/clientcert' target=_blank ><?= _("Here is a link to that procedure. It will open in a new tab.") ?></a></p>
 
-<?
-	$query = "select * from `email` where `memid`='".intval($_SESSION['profile']['id'])."' and `deleted`=0 and `hash`=''";
-	$res = mysql_query($query);
-	while($row = mysql_fetch_assoc($res))
-	{ ?>
-  <tr>
-    <td class="DataTD"><input type="checkbox" id="addid<?=intval($row['id'])?>" name="addid[]" value="<?=intval($row['id'])?>"></td>
-    <td class="DataTD" align="left"><label for="addid<?=intval($row['id'])?>"><?=sanitizeHTML($row['email'])?></label></td>
-  </tr>
-<? }
-if($_SESSION['profile']['points'] >= 50)
-{
-	$fname = $_SESSION['profile']['fname'];
-	$mname = $_SESSION['profile']['mname'];
-	$lname = $_SESSION['profile']['lname'];
-	$suffix = $_SESSION['profile']['suffix'];
-?>
-  <tr>
-    <td class="DataTD" colspan="2" align="left">
-      <input type="radio" id="incname0" name="incname" value="0" checked="checked" />
-        <label for="incname0"><?=_("No Name")?></label><br />
-      <? if($fname && $lname) { ?>
-        <input type="radio" id="incname1" name="incname" value="1" />
-        <label for="incname1"><?=_("Include")?> '<?=$fname." ".$lname?>'</label><br />
-      <? } ?>
-      <? if($fname && $mname && $lname) { ?>
-        <input type="radio" id="incname2" name="incname" value="2" />
-        <label for="incname2"><?=_("Include")?> '<?=$fname." ".$mname." ".$lname?>'</label><br />
-      <? } ?>
-      <? if($fname && $lname && $suffix) { ?>
-        <input type="radio" id="incname3" name="incname" value="3" />
-        <label for="incname3"><?=_("Include")?> '<?=$fname." ".$lname." ".$suffix?>'</label><br />
-      <? } ?>
-      <? if($fname && $mname && $lname && $suffix) { ?>
-        <input type="radio" id="incname4" name="incname" value="4" />
-        <label for="incname4"><?=_("Include")?> '<?=$fname." ".$mname." ".$lname." ".$suffix?>'</label><br />
+<form method="post" action="account.php">
+  <table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
+    <tr>
+      <td colspan="2" class="title"><?=_("New Client Certificate")?></td>
+    </tr>
+    <tr>
+      <td class="DataTD"><?=_("Add")?></td>
+      <td class="DataTD"><?=_("Address")?></td>
+    </tr>
+
+    <?
+      $query = "select * from `email` where `memid`='" . intval($_SESSION[ 'profile' ][ 'id' ] ) . "' and `deleted`=0 and `hash`=''";
+      $res   = mysql_query($query );
+      while ($row = mysql_fetch_assoc($res))
+      { ?>
+        <tr>
+          <td class="DataTD"><input type="checkbox" id="addid<?=intval($row['id']) ?>" name="addid[]" value="<?=intval($row['id']) ?>"></td>
+          <td class="DataTD" align="left"><label for="addid<?=intval($row['id'])?>"><?=sanitizeHTML($row['email'])?></label></td>
+        </tr>
+      <? }
+      if ($_SESSION[ 'profile' ][ 'points' ] >= 50 )
+      {
+        $fname  = $_SESSION[ 'profile' ][ 'fname' ];
+        $mname  = $_SESSION[ 'profile' ][ 'mname' ];
+        $lname  = $_SESSION[ 'profile' ][ 'lname' ];
+        $suffix = $_SESSION[ 'profile' ][ 'suffix' ];
+        ?>
+        <tr>
+          <td class="DataTD" colspan="2" align="left">
+            <input type="radio" id="incname0" name="incname" value="0" checked="checked"/>
+            <label for="incname0"><?= _("No Name") ?></label><br/>
+            <? if ($fname && $lname ) { ?>
+              <input type="radio" id="incname1" name="incname" value="1"/>
+              <label for="incname1"><?= _("Include") ?> '<?= $fname . " " . $lname ?>'</label><br/>
+            <? } ?>
+            <? if ($fname && $mname && $lname ) { ?>
+              <input type="radio" id="incname2" name="incname" value="2"/>
+              <label for="incname2"><?= _("Include") ?> '<?= $fname . " " . $mname . " " . $lname ?> '</label><br/>
+            <? } ?>
+            <? if ($fname && $lname && $suffix ) { ?>
+              <input type="radio" id="incname3" name="incname" value="3"/>
+              <label for="incname3"><?= _("Include") ?> '<?= $fname . " " . $lname . " " . $suffix ?> '</label><br/>
+            <? } ?>
+            <? if ($fname && $mname && $lname && $suffix ) { ?>
+              <input type="radio" id="incname4" name="incname" value="4"/>
+              <label for="incname4"><?= _("Include") ?> '<?= $fname . " " . $mname . " " . $lname . " " . $suffix ?>'</label><br/>
+            <? } ?>
+          </td>
+        </tr>
       <? } ?>
-    </td>
-  </tr>
-<? } ?>
 
-  <tr>
-    <td class="DataTD">
-      <input type="checkbox" id="login" name="login" value="1" checked="checked" />
-    </td>
-    <td class="DataTD" align="left">
-      <label for="login"><?=_("Enable certificate login with this certificate")?><br />
-      <?=_("By allowing certificate login, this certificate can be used to login into this account at https://secure.cacert.org/ .")?></label>
-    </td>
-  </tr>
-  <tr>
-    <td class="DataTD" colspan="2" align="left">
-      <label for="description"><?=_("Optional comment, only used in the certificate overview")?></label><br />
-      <input type="text" id="description" name="description" maxlength="100" size="100" />
-    </td>
-  </tr>
-
-  <tr name="expertoff" style="display:none">
-    <td class="DataTD">
-      <input type="checkbox" id="expertbox" name="expertbox" onchange="showExpert(this.checked)" />
-    </td>
-    <td class="DataTD" align="left">
-      <label for="expertbox"><?=_("Show advanced options")?></label>
-    </td>
-  </tr>
+      <tr>
+        <td class="DataTD">
+          <input type="checkbox" id="login" name="login" value="1" checked="checked"/>
+        </td>
+        <td class="DataTD" align="left">
+          <label for="login"><?= _("Enable certificate login with this certificate") ?><br/>
+          <?= _("By allowing certificate login, this certificate can be used to login into this account at https://secure.cacert.org/ .") ?></label>
+        </td>
+      </tr>
+      <tr>
+        <td class="DataTD" colspan="2" align="left">
+          <label for="description"><?= _("Optional comment, only used in the certificate overview") ?></label><br/>
+          <input type="text" id="description" name="description" maxlength="100" size="100"/>
+        </td>
+      </tr>
 
 <?
-if($_SESSION['profile']['points'] >= 50)
-{
-?>
-  <tr name="expert">
-    <td class="DataTD" colspan="2" align="left">
-      <input type="radio" id="root1" name="rootcert" value="1" /> <label for="root1"><?=_("Sign by class 1 root certificate")?></label><br />
-      <input type="radio" id="root2" name="rootcert" value="2" checked="checked" /> <label for="root2"><?=_("Sign by class 3 root certificate")?></label><br />
-      <?=str_replace("\n", "<br />\n", wordwrap(_("Please note: If you use a certificate signed by the class 3 root, the class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain."), 125))?>
-    </td>
-  </tr>
-<? } ?>
-
-  <tr name="expert">
-    <td class="DataTD" colspan="2" align="left">
-      <?=_("Hash algorithm used when signing the certificate:")?><br />
-      <?
-      foreach (HashAlgorithms::getInfo() as $algorithm => $display_info) {
-      ?>
-        <input type="radio" id="hash_alg_<?=$algorithm?>" name="hash_alg" value="<?=$algorithm?>" <?=(HashAlgorithms::$default === $algorithm)?'checked="checked"':''?> />
-        <label for="hash_alg_<?=$algorithm?>"><?=$display_info['name']?><?=$display_info['info']?' - '.$display_info['info']:''?></label><br />
-      <?
-      }
+	if($_SESSION['profile']['points'] >= 50)
+	{
       ?>
-    </td>
-  </tr>
-
-<? if($_SESSION['profile']['points'] >= 100 && $_SESSION['profile']['codesign'] > 0) { ?>
-  <tr name="expert">
-    <td class="DataTD">
-      <input type="checkbox" id="codesign" name="codesign" value="1" />
-    </td>
-    <td class="DataTD" align="left">
-      <label for="codesign"><?=_("Code Signing")?><br />
-      <?=_("Please note: By ticking this box you will automatically have your name included in the certificate.")?></label>
-    </td>
-  </tr>
+      <tr>
+        <td class="DataTD" colspan="2" align="left">
+          <input type="radio" id="root1" name="rootcert" value="1" /> <label for="root1"><?=_("Sign by class 1 root certificate")?></label><br />
+          <input type="radio" id="root2" name="rootcert" value="2" checked="checked"/> <label for="root2"><?= _("Sign by class 3 root certificate") ?></label><br/>
+          <?= str_replace("\n", "<br />\n", wordwrap(_("Please note: If you use a certificate signed by the class 3 root, the class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain."), 125 ) ) ?>
+        </td>
+      </tr>
 <? } ?>
 
-  <tr name="expert">
-    <td class="DataTD">
-      <input type="checkbox" id="SSO" name="SSO" value="1" />
-    </td>
-    <td class="DataTD" align="left">
-      <label for="SSO"><?=_("Add Single Sign On ID Information")?><br />
-      <?=str_replace("\n", "<br>\n", wordwrap(_("By adding Single Sign On (SSO) ID information to your certificates this could be used to track you, you can also issue certificates with no email addresses that are useful only for Authentication. Please see a more detailed description on our WIKI about it."), 125))?>
-      <a href="http://wiki.cacert.org/wiki/SSO"><?=_("SSO WIKI Entry")?></a></label>
-    </td>
-  </tr>
-
-  <tr name="expert">
-    <td class="DataTD" colspan="2">
-      <label for="optionalCSR"><?=_("Optional Client CSR, no information on the certificate will be used")?></label><br />
-      <textarea id="optionalCSR" name="optionalCSR" cols="80" rows="5"></textarea>
-    </td>
-  </tr>
-
-
-  <tr>
-    <td class="DataTD">
-      <input type="checkbox" id="CCA" name="CCA" />
-    </td>
-    <td class="DataTD" align="left">
-      <label for="CCA"><strong><?=sprintf(_("I accept the CAcert Community Agreement (%s)."),"<a href='/policy/CAcertCommunityAgreement.html'>CCA</a>")?></strong><br />
-      <?=_("Please note: You need to accept the CCA to proceed.")?></label>
-    </td>
-  </tr>
-  <tr>
-    <td class="DataTD" colspan="2"><input type="submit" name="process" value="<?=_("Next")?>" /></td>
-  </tr>
-</table>
-<input type="hidden" name="oldid" value="<?=$id?>" />
-</form>
+      <tr>
+        <td class="DataTD" colspan="2" align="left">
+        <?= _("Hash algorithm used when signing the certificate:") ?><br/>
+        <?
+        foreach (HashAlgorithms::getInfo() as $algorithm => $display_info ) {
+        ?>
+          <input type="radio" id="hash_alg_<?=$algorithm?>" name="hash_alg" value="<?= $algorithm ?>" <?= (HashAlgorithms::$default === $algorithm) ? 'checked="checked"' : '' ?> />
+          <label for="hash_alg_<?= $algorithm ?>"><?= $display_info[ 'name' ] ?><?= $display_info[ 'info' ] ? ' - ' . $display_info[ 'info' ] : '' ?></label><br/>
+        <?
+          }
+        ?>
+        </td>
+      </tr>
+
+      <? if ($_SESSION[ 'profile' ][ 'points' ] >= 100 && $_SESSION[ 'profile' ][ 'codesign' ] > 0 ) { ?>
+        <tr>
+          <td class="DataTD">
+            <input type="checkbox" id="codesign" name="codesign" value="1"/>
+          </td>
+          <td class="DataTD" align="left">
+            <label for="codesign"><?= _("Code Signing") ?><br/>
+            <?= _("Please note: By ticking this box you will automatically have your name included in the certificate.") ?></label>
+          </td>
+        </tr>
+      <? } ?>
 
-<script language="javascript">
-function showExpert(a)
-{
-  b=document.getElementsByName("expert");
-  for(i=0;b.length>i;i++)
-  {
-    if(!a) {b[i].setAttribute("style","display:none"); }
-    else {b[i].removeAttribute("style");}
-  }
-  b=document.getElementsByName("expertoff");
-  for(i=0;b.length>i;i++)
-  {
-    b[i].removeAttribute("style");
-  }
-
-}
-showExpert(false);
-</script>
+      <tr>
+        <td class="DataTD">
+          <input type="checkbox" id="SSO" name="SSO" value="1"/>
+        </td>
+        <td class="DataTD" align="left">
+          <label for="SSO"><?= _("Add Single Sign On ID Information") ?><br/>
+          <?= str_replace("\n", "<br>\n", wordwrap(_("By adding Single Sign On (SSO) ID information to your certificates this could be used to track you, you can also issue certificates with no email addresses that are useful only for Authentication. Please see a more detailed description on our WIKI about it."), 125 ) ) ?>
+            <a href="http://wiki.cacert.org/wiki/SSO"><?= _("SSO WIKI Entry") ?></a></label>
+        </td>
+      </tr>
+
+      <tr>
+        <td class="DataTD" colspan="2">
+            <label for="optionalCSR"><?= _("Paste Client CSR here") ?></label><br/>
+            <textarea id="optionalCSR" name="optionalCSR" cols="80" rows="5"></textarea>
+        </td>
+      </tr>
+
+      <tr>
+        <td class="DataTD">
+          <input type="checkbox" id="CCA" name="CCA"/>
+        </td>
+        <td class="DataTD" align="left">
+          <label for="CCA"><strong><?= sprintf(_("I accept the CAcert Community Agreement (%s)."), "<a href='/policy/CAcertCommunityAgreement.html'>CCA</a>") ?></strong><br/>
+          <?= _("Please note: You need to accept the CCA to proceed.") ?></label>
+        </td>
+      </tr>
+
+      <tr>
+        <td class="DataTD" colspan="2"><input type="submit" name="process" value="<?= _("Next") ?>"/></td>
+      </tr>
+    </table>
+  <input type="hidden" name="oldid" value="<?= $id ?>"/>
+</form>

scripts/cron/removedead.php

@@ -39,6 +39,12 @@
 			(UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(`created`)) >= 172800";
 	mysql_query($query);
 
+	// removes entries that where introduced due to missing/wrong default value
+	// in MariaDB strict mode, see https://bugs.cacert.org/view.php?id=1543
+	$query = "delete from `email` where `memid`=0 and
+			(UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(`created`)) >= 172800";
+	mysql_query($query);
+
 	$query = "delete from `disputedomain` where `hash`!='' and
 			(UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(`created`)) >= 21600";
 	mysql_query($query);

www/certs/CAcert_Class3Root_x14E228.crt

@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMw
+IwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAC
+hiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoG
+CysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5v
+cmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9
+dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3
+hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/
+mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGq
+eSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6Hh
+LSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5
+/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QU
+qGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k5
+0cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfq
+i5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUE
+CokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87
+cSvOK6eB1kdGKLA8ymXxZp8=
+-----END CERTIFICATE-----
+

www/certs/CAcert_Class3Root_x14E228.txt

@@ -0,0 +1,132 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1368616 (0x14e228)
+    Signature Algorithm: sha512WithRSAEncryption
+        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
+        Validity
+            Not Before: Apr 19 12:18:30 2021 GMT
+            Not After : Apr 17 12:18:30 2031 GMT
+        Subject: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:ab:49:35:11:48:7c:d2:26:7e:53:94:cf:43:a9:
+                    dd:28:d7:42:2a:8b:f3:87:78:19:58:7c:0f:9e:da:
+                    89:7d:e1:fb:eb:72:90:0d:74:a1:96:64:ab:9f:a0:
+                    24:99:73:da:e2:55:76:c7:17:7b:f5:04:ac:46:b8:
+                    c3:be:7f:64:8d:10:6c:24:f3:61:9c:c0:f2:90:fa:
+                    51:e6:f5:69:01:63:c3:0f:56:e2:4a:42:cf:e2:44:
+                    8c:25:28:a8:c5:79:09:7d:46:b9:8a:f3:e9:f3:34:
+                    29:08:45:e4:1c:9f:cb:94:04:1c:81:a8:14:b3:98:
+                    65:c4:43:ec:4e:82:8d:09:d1:bd:aa:5b:8d:92:d0:
+                    ec:de:90:c5:7f:0a:c2:e3:eb:e6:31:5a:5e:74:3e:
+                    97:33:59:e8:c3:03:3d:60:33:bf:f7:d1:6f:47:c4:
+                    cd:ee:62:83:52:6e:2e:08:9a:a4:d9:15:18:91:a6:
+                    85:92:47:b0:ae:48:eb:6d:b7:21:ec:85:1a:68:72:
+                    35:ab:ff:f0:10:5d:c0:f4:94:a7:6a:d5:3b:92:7e:
+                    4c:90:05:7e:93:c1:2c:8b:a4:8e:62:74:15:71:6e:
+                    0b:71:03:ea:af:15:38:9a:d4:d2:05:72:6f:8c:f9:
+                    2b:eb:5a:72:25:f9:39:46:e3:72:1b:3e:04:c3:64:
+                    27:22:10:2a:8a:4f:58:a7:03:ad:be:b4:2e:13:ed:
+                    5d:aa:48:d7:d5:7d:d4:2a:7b:5c:fa:46:04:50:e4:
+                    cc:0e:42:5b:8c:ed:db:f2:cf:fc:96:93:e0:db:11:
+                    36:54:62:34:38:8f:0c:60:9b:3b:97:56:38:ad:f3:
+                    d2:5b:8b:a0:5b:ea:4e:96:b8:7c:d7:d5:a0:86:70:
+                    40:d3:91:29:b7:a2:3c:ad:f5:8c:bb:cf:1a:92:8a:
+                    e4:34:7b:c0:d8:6c:5f:e9:0a:c2:c3:a7:20:9a:5a:
+                    df:2c:5d:52:5c:ba:47:d5:9b:ef:24:28:70:38:20:
+                    2f:d5:7f:29:c0:b2:41:03:68:92:cc:e0:9c:cc:97:
+                    4b:45:ef:3a:10:0a:ab:70:3a:98:95:70:ad:35:b1:
+                    ea:85:2b:a4:1c:80:21:31:a9:ae:60:7a:80:26:48:
+                    00:b8:01:c0:93:63:55:22:91:3c:56:e7:af:db:3a:
+                    25:f3:8f:31:54:ea:26:8b:81:59:f9:a1:d1:53:11:
+                    c5:7b:9d:03:f6:74:11:e0:6d:b1:2c:3f:2c:86:91:
+                    99:71:9a:a6:77:8b:34:60:d1:14:b4:2c:ac:9d:af:
+                    8c:10:d3:9f:c4:6a:f8:6f:13:fc:73:59:f7:66:42:
+                    74:1e:8a:e3:f8:dc:d2:6f:98:9c:cb:47:98:95:40:
+                    05:fb:e9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            Authority Information Access: 
+                OCSP - URI:http://ocsp.CAcert.org/
+                CA Issuers - URI:http://www.CAcert.org/class3.crt
+
+            X509v3 Certificate Policies: 
+                Policy: 1.3.6.1.4.1.18506.2.3.1
+                  CPS: http://www.CAcert.org/cps.php
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:https://www.cacert.org/class3.crl
+
+    Signature Algorithm: sha512WithRSAEncryption
+         c6:1e:ad:77:5c:b4:28:9b:d1:c8:8d:44:12:c0:bd:76:76:04:
+         83:21:07:f8:11:82:7f:6b:c1:95:42:c0:38:11:b5:25:70:8d:
+         8b:0c:c1:d5:6c:fd:1c:1a:03:7c:8b:f8:06:31:a5:9d:de:41:
+         29:d4:8b:9b:84:d7:3d:c1:37:86:71:a3:1f:5b:61:29:1e:5d:
+         77:7d:bb:f0:ad:b9:15:19:13:14:e6:35:80:ff:a6:19:b4:37:
+         85:94:41:e8:88:c3:5f:e0:b2:06:a4:bb:f8:40:a9:1d:39:ac:
+         ed:ea:3f:98:04:4d:f9:8c:f9:47:79:73:52:f5:ec:df:34:97:
+         fb:3e:77:e0:dc:d1:83:88:ba:88:73:47:5a:a6:a4:15:c4:0d:
+         70:0d:0f:9e:4b:13:07:7e:ef:18:3e:f9:a5:01:aa:79:29:b1:
+         e7:52:fa:53:3a:c8:a6:7f:b6:ef:89:a1:b1:a1:4d:2f:ce:63:
+         85:7f:a5:2a:e9:3b:d4:c1:a3:cf:0a:13:85:bb:99:d7:9c:66:
+         90:84:e7:66:d4:50:b3:a1:e1:2d:22:2a:25:68:c3:20:b2:2b:
+         c4:ba:98:1d:e8:4a:ef:5c:58:c2:b4:4d:84:56:f7:4e:bb:16:
+         68:42:6c:92:b8:6f:78:cd:0e:b3:fb:ef:a0:b3:64:87:f2:f7:
+         88:44:39:fc:b9:e6:2c:c0:98:24:d4:40:2c:5e:c8:ee:0b:1d:
+         b8:02:4d:26:b8:0a:18:c6:2f:1e:4b:75:6e:8f:2e:21:73:bc:
+         c2:03:55:ee:aa:14:e0:9a:1a:07:53:0b:df:44:14:a8:67:05:
+         af:44:c8:d3:a1:45:76:02:b6:7f:0c:b9:86:e9:4f:c6:6e:b0:
+         bb:15:b4:bf:e8:80:b5:76:31:fe:64:64:c1:0a:58:6d:c5:50:
+         b6:b2:03:bf:1d:42:4f:59:39:d1:c4:31:8b:e8:c8:2a:39:1c:
+         15:61:f0:de:40:68:0e:70:a8:b3:4f:ee:91:e8:0f:4f:b6:90:
+         9e:4d:80:6c:be:1c:ee:70:a4:b8:07:04:2b:0d:41:02:54:84:
+         4e:47:ea:8b:96:ed:76:58:61:e7:c3:21:7b:06:6f:d4:b7:0b:
+         e7:34:32:83:cc:35:a6:e7:25:4f:7c:17:42:fc:bc:57:03:c6:
+         9f:42:7f:98:60:f8:80:b2:d9:f6:b1:9c:1c:35:04:0a:89:31:
+         16:85:a4:fa:ee:4c:09:c5:6a:98:66:ec:c8:6e:2a:e6:cb:92:
+         dc:23:6c:96:c1:d4:45:f3:3c:6d:02:b8:a0:bb:c7:47:c2:c2:
+         1c:40:4c:45:c7:45:06:7f:3b:71:2b:ce:2b:a7:81:d6:47:46:
+         28:b0:3c:ca:65:f1:66:9f
+-----BEGIN CERTIFICATE-----
+MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMw
+IwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAC
+hiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoG
+CysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5v
+cmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9
+dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3
+hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/
+mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGq
+eSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6Hh
+LSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5
+/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QU
+qGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k5
+0cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfq
+i5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUE
+CokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87
+cSvOK6eB1kdGKLA8ymXxZp8=
+-----END CERTIFICATE-----

www/index.php

@@ -153,7 +153,7 @@ require_once('../includes/notary.inc.php');
 	{
 		include_once("../includes/lib/general.php");
 		$user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'],
-				$_SERVER['SSL_CLIENT_I_DN_CN']);
+				$_SERVER['SSL_CLIENT_I_DN_CN'], get_email_addresses_from_client_cert());
 
 		if($user_id >= 0)
 		{
@@ -479,7 +479,7 @@ if ($oldid == 52 )
 			write_user_agreement($memid, "CCA", "account creation", "", 1);
 
 			$body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
-			$body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n";
+			$body .= "https://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n";
 			$body .= _("Best regards")."\n"._("CAcert.org Support!");
 
 			sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support");

www/policy/CAcertCommunityAgreement.html

@@ -68,8 +68,8 @@
   <h4><a name="0.1">0.1</a> Terms</h4>
 
   <ol>
-    <li>"CAcert" means CAcert Inc., a non-profit Association of Members
-    incorporated in New South Wales, Australia. Note that Association Members
+    <li>"CAcert" means CAcert Inc., a non-profit Association of Members.
+    Note that Association Members
     are distinct from the Members defined here.</li>
 
     <li>"Member" means you, a registered participant within CAcert's Community,
@@ -295,8 +295,7 @@
 
   <h4><a name="3.1">3.1</a> Governing Law</h4>
 
-  <p>This agreement is governed under the law of New South Wales, Australia,
-  being the home of the CAcert Inc. Association.</p>
+  <p>This agreement is governed under the law of New South Wales, Australia.</p>
 
   <h4><a name="3.2">3.2</a> Arbitration as Forum of Dispute Resolution</h4>
 

www/policy/PrivacyPolicy.html

@@ -99,13 +99,7 @@ Please see <a href='http://www.privacy.gov.au/'>http://www.privacy.gov.au/</a> f
 Governmental warrants and civil supoenas will be processed through the dispute resolution system, which ensures that valid authority is given to whoever complies with the supoena or the warrant.
 </p>
 
-
-<p>If you need to contact us in writing, address your mail to:</p>
-<p>
-CAcert Inc.<br />
-PO Box 66 <br />
-Oatley NSW 2223<br />
-Australia
+<p>If you need to contact us in writing, address your mail to the postal address of CAcert Inc. The current postal address of Cacert Inc. can be found on CAcert's web site.
 </p>
 <p><a href="http://validator.w3.org/check?uri=referer"><img src="images/valid-html50-blue.png" alt="Valid HTML 5" height="31" width="88"></a></p>
 </body>

www/policy/RootDistributionLicense.html

@@ -51,7 +51,7 @@ Editor: Mark Lipscombe
 <h2 id="g0.1">1. Terms </h2>
 
 <p>
-"CAcert Inc" means CAcert Incorporated, a non-profit association incorporated in New South Wales, Australia.
+"CAcert Inc" means CAcert Incorporated, a non-profit association.
 <br>
 "CAcert Community Agreement" means the agreement entered into by each person wishing to RELY.
 <br>

www/src-lic.php

@@ -1,6 +1,6 @@
 <? /*
     LibreSSL - CAcert web application
-    Copyright (C) 2004-2008  CAcert Inc.
+    Copyright (C) 2004-2023  CAcert Inc.
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -17,21 +17,10 @@
 */
 	if(array_key_exists('iagree',$_REQUEST) && $_REQUEST['iagree'] == "yes")
 	{
-		$output_file = $fname = readlink("../tarballs/current.tar.bz2");
-
-		header('Pragma: public');
-
-		header('Last-Modified: '.gmdate('D, d M Y H:i:s') . ' GMT');
-		header('Cache-Control: no-store, no-cache, must-revalidate'); // HTTP/1.1
-		header('Cache-Control: pre-check=0, post-check=0, max-age=0'); // HTTP/1.1
-		header('Content-Transfer-Encoding: none');
-		header('Content-Type: application/octetstream; name="' . $output_file . '"'); //This should work for IE & Opera
-		header('Content-Type: application/octet-stream; name="' . $output_file . '"'); //This should work for the rest
-		header('Content-Disposition: inline; filename="' . $output_file . '"');
-		header("Content-length: ".intval(filesize($_SESSION['_config']['filepath']."/tarballs/$fname")));
-		readfile($_SESSION['_config']['filepath']."/tarballs/$fname");
+		header('Location: https://code.cacert.org/cacert/cacert-webdb/archive/main.tar.gz', TRUE, 302);
 		exit;
 	}
+
 	loadem("index");
 	showheader(_("CAcert Source License"));
 ?>