1 |
On Saturday, May 29, 2021 8:26:57 AM CEST Walter Dnes wrote: |
2 |
> On Sat, May 29, 2021 at 03:08:39AM +0200, zcampe@×××××.com wrote |
3 |
> |
4 |
> > 125 config files in /etc/ssl/certs needs update. |
5 |
> > |
6 |
> > For certificates I would expect the old and invalid ones to be replaced |
7 |
> > by newer ones without user intervention. |
8 |
> |
9 |
> Looking through them is "interesting". There seem to be a lot of |
10 |
> /etc/ssl/certs/????????.0 files, where "?" is either a random number or |
11 |
> a lower case letter. These all seem to be symlinks to |
12 |
> /etc/ssl/certs/<Some_Name>.pem. Each of those files is in turn a |
13 |
> symlink to /usr/share/ca-certificates/mozilla/<Some_Name>.crt. How much |
14 |
> do we trust China? There are a couple of certificates in there named |
15 |
> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt and |
16 |
> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt. Any |
17 |
> other suspicious regimes in there? |
18 |
|
19 |
I've always wondered about the amount of CAs that are auto-trusted on any |
20 |
system. Including several from countries with serious human rights issues. |
21 |
|
22 |
I could do with a tool where I can easily select which CAs to trust based on |
23 |
country. |
24 |
|
25 |
-- |
26 |
Joost |