On 07/04/2018 08:54 AM, Walter H. wrote:
Hello,
the RPM
ca-certificates-2018.2.22-65.1.el6.noarch
has a big problem ...
many certificates were removed - my proxy uses this as source and isn't
able to validate correct any more -
most sites show this:
/[No Error] (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
/Self-signed SSL Certificate in chain: /C=SE/O=AddTrust AB/OU=AddTrust
External TTP Network/CN=AddTrust External CA Root
Self-signed SSL Certificate in chain: /C=US/O=DigiCert
Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
and many other Root certificates are missing ...
Not sure why they were removed but in the past, root certificates are
removed due to problems with the certificate authorities that mean their
signatures no longer mean the sites are who they say there.
That's the problem with PKI. When you can't trust the root, you can't
sign any certificate down the chain from the root.
Unfortunately DANE is not yet supported by browsers.
But anyway, does the changelog indicate why the certs were removed?
It may be a good thing - protecting you from potential MITM when you
otherwise would have the assumption that the site is valid because it
has a cert.
I know digicert specifically has had problems before resulting in
fraudulent certificates being issued.
Hopefully the industry can move to DANE and make blind trust a thing of
the past.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos