Walter H.
2018-Jul-04 15:54 UTC
[CentOS] ca-certificates-2018.2.22-65.1.el6.noarch problematic
Hello, the RPM ca-certificates-2018.2.22-65.1.el6.noarch has a big problem ... many certificates were removed - my proxy uses this as source and isn't able to validate correct any more - most sites show this: /[No Error] (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) /Self-signed SSL Certificate in chain: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root Self-signed SSL Certificate in chain: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA and many other Root certificates are missing ... Greetings, Walter
Alice Wonder
2018-Jul-04 16:37 UTC
[CentOS] ca-certificates-2018.2.22-65.1.el6.noarch problematic
On 07/04/2018 08:54 AM, Walter H. wrote:> Hello, > > the RPM > > ca-certificates-2018.2.22-65.1.el6.noarch > > has a big problem ... > many certificates were removed - my proxy uses this as source and isn't > able to validate correct any more - > most sites show this: > > /[No Error] (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) > > /Self-signed SSL Certificate in chain: /C=SE/O=AddTrust AB/OU=AddTrust > External TTP Network/CN=AddTrust External CA Root > > Self-signed SSL Certificate in chain: /C=US/O=DigiCert > Inc/OU=www.digicert.com/CN=DigiCert Global Root CA > > and many other Root certificates are missing ... >Not sure why they were removed but in the past, root certificates are removed due to problems with the certificate authorities that mean their signatures no longer mean the sites are who they say there. That's the problem with PKI. When you can't trust the root, you can't sign any certificate down the chain from the root. Unfortunately DANE is not yet supported by browsers. But anyway, does the changelog indicate why the certs were removed? It may be a good thing - protecting you from potential MITM when you otherwise would have the assumption that the site is valid because it has a cert. I know digicert specifically has had problems before resulting in fraudulent certificates being issued. Hopefully the industry can move to DANE and make blind trust a thing of the past.
Walter H.
2018-Jul-04 17:03 UTC
[CentOS] ca-certificates-2018.2.22-65.1.el6.noarch problematic
On 04.07.2018 18:37, Alice Wonder wrote:> On 07/04/2018 08:54 AM, Walter H. wrote: >> Hello, >> >> the RPM >> >> ca-certificates-2018.2.22-65.1.el6.noarch >> >> has a big problem ... >> many certificates were removed - my proxy uses this as source and isn't >> able to validate correct any more - >> most sites show this: >> >> /[No Error] (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) >> >> /Self-signed SSL Certificate in chain: /C=SE/O=AddTrust AB/OU=AddTrust >> External TTP Network/CN=AddTrust External CA Root >> >> Self-signed SSL Certificate in chain: /C=US/O=DigiCert >> Inc/OU=www.digicert.com/CN=DigiCert Global Root CA >> >> and many other Root certificates are missing ... >> > > Not sure why they were removed but in the past, root certificates are > removed due to problems with the certificate authorities that mean > their signatures no longer mean the sites are who they say there. > > That's the problem with PKI. When you can't trust the root, you can't > sign any certificate down the chain from the root. > > Unfortunately DANE is not yet supported by browsers.DANE is not a solution, it is another problem ...> > But anyway, does the changelog indicate why the certs were removed?where can I find the changelog?> > It may be a good thing - protecting you from potential MITM when you > otherwise would have the assumption that the site is valid because it > has a cert.depends ... this https://cdn.pbrd.co/images/Hs5VL82.png is not the cause of SSL everywhere, it is the answer of SSL everywhere ...> > I know digicert specifically has had problems before resulting in > fraudulent certificates being issued.this had been in the past ..., not relevant to present time ...> > Hopefully the industry can move to DANE and make blind trust a thing > of the past.before DANE, DNSSEC as a requirement has to be deployed ...
Leon Fauster
2018-Jul-04 17:44 UTC
[CentOS] ca-certificates-2018.2.22-65.1.el6.noarch problematic
> Am 04.07.2018 um 17:54 schrieb Walter H. <Walter.H at mathemainzel.info>: > > Hello, > > the RPM > > ca-certificates-2018.2.22-65.1.el6.noarch > > has a big problem ... > many certificates were removed - my proxy uses this as source and isn't able to validate correct any more - > most sites show this: > > /[No Error] (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) > > /Self-signed SSL Certificate in chain: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root > > Self-signed SSL Certificate in chain: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA > > and many other Root certificates are missing ...Chapter 20. Deprecated Functionality might be related ...? https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/6.10_technical_notes/ -- LF