FS#53768 - [ca-certificates-utils] Bogus Certs in 'update-ca-certificates extract' output
Attached to Project:
Arch Linux
Opened by Lukas Platz (lplatz) - Sunday, 23 April 2017, 22:34 GMT
Last edited by Jan Alexander Steffens (heftig) - Wednesday, 26 April 2017, 09:56 GMT
Opened by Lukas Platz (lplatz) - Sunday, 23 April 2017, 22:34 GMT
Last edited by Jan Alexander Steffens (heftig) - Wednesday, 26 April 2017, 09:56 GMT
|
Details
Description:
The file '/etc/ca-certificates/extracted/ca-bundle.trust.crt' contains several 'bogus certificates'. (Search for '# Bogus') These stem from '/usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit', where they are marked with 'x-distrusted: true'. I believe the update-ca-certificates program addes them erroneously, but I have no deeper understanding of these cert stores. This forum post http://openssl.6102.n7.nabble.com/CA-certificate-bundle-bogus-certs-tp47452p47473.html suggests this is indeed a bug in parsing the mozilla trust file. With kind regards, Lukas Platz Additional info: Versions: ca-certificates 20170307-1 ca-certificates-cacert 20140824-4 ca-certificates-mozilla 3.30.1-1 ca-certificates-utils 20170307-1 Steps to reproduce: - install ca-certificates - search '/etc/ca-certificates/extracted/ca-bundle.trust.crt' for '# Bogus' |
This task depends upon
Closed by Jan Alexander Steffens (heftig)
Wednesday, 26 April 2017, 09:56 GMT
Reason for closing: Not a bug
Additional comments about closing: Behavior is correct.
Wednesday, 26 April 2017, 09:56 GMT
Reason for closing: Not a bug
Additional comments about closing: Behavior is correct.
If you send one of the bogus certs into "openssl x509 -text", you will see that it has "No Trusted Uses" and "Rejected Uses" lists everything, meaning that any cert chain containing this certificate will be immediately rejected.