Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

/etc/pki/tls and /etc/ssl/certs include distrusted certificates #19

Closed
xry111 opened this issue Jan 8, 2022 · 0 comments · Fixed by #20
Closed

/etc/pki/tls and /etc/ssl/certs include distrusted certificates #19

xry111 opened this issue Jan 8, 2022 · 0 comments · Fixed by #20

Comments

@xry111
Copy link
Member

xry111 commented Jan 8, 2022

Reported by Robert Bartel via blfs-dev, and it also happens on my system:

Just recently I noticed that the /etc/pki/tls/certs/ca-bundle.crt generated by
make-ca 1.9 includes two explicitly distrusted certificates as indicated by
their comments:

# Explicitly Distrust DigiNotar Root CA
# Explicitly Distrusted DigiNotar PKIoverheid G2

It seems to me that p11-kit and OpenSSL can explicitly distrust certificates in
their CA stores for various usage purposes while the PEM bundle format
(ca-bundle.crt) used mainly by GnuTLS does not support this. So my
interpretation is that all applications using the bundles will trust these bad
certificates.

As make-ca uses p11-kit's "trust extract" utility to generate the PEM bundles, I
looked in trust/extract-pem.c of p11-kit 0.24. Here it looks like it iterates
over all certificates in the CA store and the trust status is only indicated by
the generated comment line. But I could be wrong.

I'm not wanting to create a GitHub account right now to report the issue to the
p11-kit project, so I first ask here if anyone can confirm or reject this?

For the time being I resorted to remove the bad certificates by using the
following command line:

for file in /etc/pki/tls/certs/*.crt; do
    awk -- '/^# Explicitly Distrust/    { delcert = 1 }
        !delcert                        { print }
        /^-----END/                     { delcert = 0 }' "${file}" >"${file}.tmp"
        mv -vf "${file}.tmp" "${file}"
        chmod -v 444 "${file}"
done

Thank you for reading this and keep up the good work!

xry111 added a commit to xry111/make-ca that referenced this issue Jan 8, 2022
@xry111 xry111 changed the title ca-bundle.crt includes distrusted certificates /etc/pki/tls and /etc/ssl/certs include distrusted certificates Jan 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant