nmh-workers
[Top] [All Lists]

Re: [Nmh-workers] TLS certificate validation

2016-09-24 11:15:10
Hi Ken,

A brief survey suggests to me that common open-source systems do not
ship a set of popular commercial root certificates.

I thought they all did.  On a couple of machines to hand.

    $ pacman -Qs certificate
    local/ca-certificates 20160507-1
        Common CA certificates (default providers)
    local/ca-certificates-cacert 20140824-3
        CAcert.org root certificates
    local/ca-certificates-mozilla 3.26-1
        Mozilla's set of trusted CA certificates
    local/ca-certificates-utils 20160507-1
        Common CA certificates (utilities)
    $ 

    $ dpkg -s ca-certificates
    Package: ca-certificates
    Status: install ok installed
    Priority: optional
    Section: misc
    Installed-Size: 452
    Maintainer: Ubuntu Developers 
<ubuntu-devel-discuss(_at_)lists(_dot_)ubuntu(_dot_)com>
    Architecture: all
    Multi-Arch: foreign
    Version: 20141019ubuntu0.15.04.1
    Depends: openssl (>= 1.0.0), debconf (>= 0.5) | debconf-2.0
    Breaks: ca-certificates-java (<< 20121112+nmu1)
    Enhances: openssl
    Description: Common CA certificates
     This package includes PEM files of CA certificates to allow SSL-based
     applications to check for the authenticity of SSL connections.
     .
     It includes, among others, certificate authorities used by the Debian
     infrastructure and those shipped with Mozilla's browsers.
     .
     Please note that Debian can neither confirm nor deny whether the
     certificate authorities whose certificates are included in this package
     have in any way been audited for trustworthiness or RFC 3647 compliance.
     Full responsibility to assess them belongs to the local system
     administrator.
    Original-Maintainer: Michael Shuler <michael(_at_)pbandjelly(_dot_)org>
    $ 

I've lots under /etc/ssl/certs.  Something under
/usr/share/ca-certificates.  And things like wget(1) have a bunch of
--certificate-* options and talk of "the file name is based on a hash
value derived from the certificate" and "system-specified locations,
chosen at OpenSSL installation time".

-- 
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy

_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers

<Prev in Thread] Current Thread [Next in Thread>