Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: "J. Roeleveld" <joost@××××××××.org>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] app-misc/ca-certificates
Date: Wed, 02 Jun 2021 07:23:08
Message-Id: 5467960.DvuYhMxLoT@iris
In Reply to: Re: [gentoo-user] app-misc/ca-certificates by Fannys
1 On Wednesday, June 2, 2021 12:28:49 AM CEST Fannys wrote:
2 > On June 1, 2021 4:45:45 AM UTC, "J. Roeleveld" <joost@××××××××.org> wrote:
3 > >On Saturday, May 29, 2021 8:26:57 AM CEST Walter Dnes wrote:
4 > >> On Sat, May 29, 2021 at 03:08:39AM +0200, zcampe@×××××.com wrote
5 > >>
6 > >> > 125 config files in /etc/ssl/certs needs update.
7 > >> >
8 > >> > For certificates I would expect the old and invalid ones to be
9 > >
10 > >replaced
11 > >
12 > >> > by newer ones without user intervention.
13 > >> >
14 > >> Looking through them is "interesting". There seem to be a lot of
15 > >>
16 > >> /etc/ssl/certs/????????.0 files, where "?" is either a random number
17 > >
18 > >or
19 > >
20 > >> a lower case letter. These all seem to be symlinks to
21 > >> /etc/ssl/certs/<Some_Name>.pem. Each of those files is in turn a
22 > >> symlink to /usr/share/ca-certificates/mozilla/<Some_Name>.crt. How
23 > >
24 > >much
25 > >
26 > >> do we trust China? There are a couple of certificates in there named
27 > >> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt and
28 > >> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt. Any
29 > >> other suspicious regimes in there?
30 > >
31 > >I've always wondered about the amount of CAs that are auto-trusted on
32 > >any
33 > >system. Including several from countries with serious human rights
34 > >issues.
35 > >
36 > >I could do with a tool where I can easily select which CAs to trust
37 > >based on
38 > >country.
39 > >
40 > >--
41 > >Joost
42 >
43 > Is there actually any tool that can let me pick my certificates?
44 > If i go and start deleting randomly certificates from regimes i dont like
45 > will there be any "breaking change"? I suppose firefox uses its own
46 > certificate store though.
47
48 If the CA is removed from your system/app/..., any key signed by that CA will
49 be seen as "untrusted" (treated as if self-signed) and you need to go through
50 the usual hoops to allow that certificate to be used.
51
52 --
53 Joost
Report Message
Find on MARC Find on Google Groups