On Sunday 04 September 2011 05:55:27 Kurt Roeckx wrote: > On Sun, Sep 04, 2011 at 12:02:48PM +0200, Kurt Roeckx wrote: > > Their is also openssl-blacklist, but it doesn't seem to have > > much users.
However, opensl-blacklist only includes a program that checks wether a certificate is weak, nothing in it AFAICS actually blocks them. It's basically useless for this case. > After having read the bug report, I think we need to have a way > to say that we don't trust a CA, or have a concept for which > things we do trust a CA. I think NSS has this concept, but > openssl or ca-certificates clearly can't express this currently. > > An other way of saying the same thing would be to be able to > blacklist a CA. The openssl-blacklist only contains a list of > blocked certificates, but nothing in it now checks the trust > path to see if it's used anywhere in the chain. The only currently supported methods are OCSP and CRL, but none would do the trick in this case. I was thinking about hard-coding a check for CN=* DigiNotar * most likely in libcrypto's X.509 support, but so far my lack of knowledge of OpenSSL's internals has me a bit lost. Hard-coding it is suboptimal, but I think it is the only reasonable solution for the time being. We can't wait weeks or months for a better solution. What do you think about making such change? > If we want to add something, it would be nice if all SSL/TLS > libraries could do that. As far as I know, this currently > includes: > - openssl > - gnutls > - nss > - polarssl > > I think I'm forgetting something for java. And have the feeling > I still forget something else. Java: JSSE (but not sure what its status is in openjdk) python-tlslite yassl (cyassl now?), only used by mysql last time I checked Not sure if we have a copy of cryptlib somewhere Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
