Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#53768 - [ca-certificates-utils] Bogus Certs in 'update-ca-certificates extract' output

Attached to Project: Arch Linux
Opened by Lukas Platz (lplatz) - Sunday, 23 April 2017, 22:34 GMT
Last edited by Jan Alexander Steffens (heftig) - Wednesday, 26 April 2017, 09:56 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Jan de Groot (JGC)
Jan Alexander Steffens (heftig)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

The file '/etc/ca-certificates/extracted/ca-bundle.trust.crt' contains several 'bogus certificates'. (Search for '# Bogus')

These stem from '/usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit', where they are marked with 'x-distrusted: true'.

I believe the update-ca-certificates program addes them erroneously, but I have no deeper understanding of these cert stores. This forum post http://openssl.6102.n7.nabble.com/CA-certificate-bundle-bogus-certs-tp47452p47473.html suggests this is indeed a bug in parsing the mozilla trust file.

With kind regards,

Lukas Platz


Additional info:
Versions:
ca-certificates 20170307-1
ca-certificates-cacert 20140824-4
ca-certificates-mozilla 3.30.1-1
ca-certificates-utils 20170307-1


Steps to reproduce:

- install ca-certificates
- search '/etc/ca-certificates/extracted/ca-bundle.trust.crt' for '# Bogus'
This task depends upon

Closed by  Jan Alexander Steffens (heftig)
Wednesday, 26 April 2017, 09:56 GMT
Reason for closing:  Not a bug
Additional comments about closing:  Behavior is correct.
Comment by Jan Alexander Steffens (heftig) - Wednesday, 26 April 2017, 09:31 GMT
Yes, this is expected. There are two variants of extracted certs: Legacy "stupid" PEM certs (which start with "BEGIN CERTIFICATE", like in tls-ca-bundle.pem) which contain no trust information and OpenSSL-specific certs (which start with "BEGIN TRUSTED CERTIFICATE", like in ca-bundle.trust.crt) which come with intended and rejected purposes.

If you send one of the bogus certs into "openssl x509 -text", you will see that it has "No Trusted Uses" and "Rejected Uses" lists everything, meaning that any cert chain containing this certificate will be immediately rejected.
Comment by David McAdoo (geecroof) - Wednesday, 26 April 2017, 09:55 GMT
So should it be closed or not?

Loading...