| 1 |
On 09/10/2011 10:31 AM, Grant wrote: |
| 2 |
>>> I just noticed this at the end of my openssl emerge: |
| 3 |
>>> |
| 4 |
>>> * Running 'c_rehash /etc/ssl/certs/' to rebuild hashes #333069 ... |
| 5 |
>>> WARNING: Skipping duplicate file cert_igca_rsa.pem [ ok ] |
| 6 |
>>>>>> dev-libs/openssl-1.0.0e merged. |
| 7 |
>>> |
| 8 |
>>> Since SSL is so critical I thought I should run it by you guys. Is |
| 9 |
>>> this something I should fix? I get: |
| 10 |
>>> |
| 11 |
>>> # updatedb && locate cert_igca_rsa.pem |
| 12 |
>>> /old-backup-dir/etc/ssl/certs/cert_igca_rsa.pem |
| 13 |
>>> /etc/ssl/certs/cert_igca_rsa.pem |
| 14 |
>> |
| 15 |
>> I notice I have these two symlinks in /etc/ssl/certs: |
| 16 |
>> |
| 17 |
>> lrwxrwxrwx 1 root root 9 Sep 7 05:23 3ee7e181.0 -> IGC_A.pem |
| 18 |
>> lrwxrwxrwx 1 root root 17 Sep 7 05:23 3ee7e181.1 -> cert_igca_dsa.pem |
| 19 |
>> |
| 20 |
>> After a bit of poking around I see that the ca-certificates package |
| 21 |
>> installs one cert under two different names: |
| 22 |
>> |
| 23 |
>> /usr/share/ca-certificates/gouv.fr/cert_igca_rsa.crt |
| 24 |
>> /usr/share/ca-certificates/mozilla/IGC_A.crt |
| 25 |
>> |
| 26 |
>> I don't know where the 3ee7e181 symlinks get their names, but I notice |
| 27 |
>> that the duplicate cert is actually the cert_igca_rsa.crt, not the dsa |
| 28 |
>> cert. That's a bit confusing, but at least it led me to the answer. |
| 29 |
> |
| 30 |
> Nice sleuthing! I can't say I completely understand, but everything |
| 31 |
> is OK as-is? |
| 32 |
|
| 33 |
I don't see how it could be exploited -- but that's not much comfort |
| 34 |
for either of us ;) |
Archives