Mark H Weaver <m...@netris.org> skribis: > I think perhaps that we should be more selective in the certs we add to > ca-certificates.crt. Debian has a configuration file > /etc/ca-certificates.conf, and only adds certificates that are > explicitly listed there to ca-certificates.crt.
Based on what you write, I agree we should be more selective, but I’m not sure how we can do that. So far the approach has been to trust Mozilla’s bundle, which is apparently not such a great idea. But what can we trust here? > Several of the certs in /etc/ssl/certs have comments like this: > > # alias="Bogus Global Trustee" > # trust= > # distrust=CKA_TRUST_CODE_SIGNING CKA_TRUST_EMAIL_PROTECTION > CKA_TRUST_SERVER_AUTH > # openssl-distrust=codeSigning emailProtection serverAuth > > So it seems that the NSS certificate store may include known-bogus > certificates, perhaps to allow displaying a more severe security warning > than the common case of an unknown CA (e.g. self-signed certificates). > > We should find out whether these Bogus untrusted CA certificates are > present in Debian's /etc/ssl/certs, and whether they are present in its > ca-certificates.conf. We should also determine whether OpenSSL and > GnuTLS pay attention to those "distrust" comments (see above) in the > single-file certificate bundle, and whether they pay attention to them > in the smaller *.pem and hash-named files. Yes. If not, we may have to look for ‘distrust’ lines in our own code and get rid of such certificates. > I will investigate later today, but if anyone is inspired to investigate > sooner and report their findings, feel free. It could be that 993300f6c > and/or e979e6dd523 should be reverted. That seems orthogonal to me. What we could do is to change ‘x509-certificates’ to default to an empty bundle, if NSS is deemed untrustworthy. Ludo’.
