Reported by Robert Bartel via blfs-dev, and it also happens on my system:
Just recently I noticed that the /etc/pki/tls/certs/ca-bundle.crt generated by
make-ca 1.9 includes two explicitly distrusted certificates as indicated by
their comments:
It seems to me that p11-kit and OpenSSL can explicitly distrust certificates in
their CA stores for various usage purposes while the PEM bundle format
(ca-bundle.crt) used mainly by GnuTLS does not support this. So my
interpretation is that all applications using the bundles will trust these bad
certificates.
As make-ca uses p11-kit's "trust extract" utility to generate the PEM bundles, I
looked in trust/extract-pem.c of p11-kit 0.24. Here it looks like it iterates
over all certificates in the CA store and the trust status is only indicated by
the generated comment line. But I could be wrong.
I'm not wanting to create a GitHub account right now to report the issue to the
p11-kit project, so I first ask here if anyone can confirm or reject this?
For the time being I resorted to remove the bad certificates by using the
following command line:
Reported by Robert Bartel via blfs-dev, and it also happens on my system:
Just recently I noticed that the /etc/pki/tls/certs/ca-bundle.crt generated by
make-ca 1.9 includes two explicitly distrusted certificates as indicated by
their comments:
It seems to me that p11-kit and OpenSSL can explicitly distrust certificates in
their CA stores for various usage purposes while the PEM bundle format
(ca-bundle.crt) used mainly by GnuTLS does not support this. So my
interpretation is that all applications using the bundles will trust these bad
certificates.
As make-ca uses p11-kit's "trust extract" utility to generate the PEM bundles, I
looked in trust/extract-pem.c of p11-kit 0.24. Here it looks like it iterates
over all certificates in the CA store and the trust status is only indicated by
the generated comment line. But I could be wrong.
I'm not wanting to create a GitHub account right now to report the issue to the
p11-kit project, so I first ask here if anyone can confirm or reject this?
For the time being I resorted to remove the bad certificates by using the
following command line:
Thank you for reading this and keep up the good work!
The text was updated successfully, but these errors were encountered: