From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 697DC1382C5 for ; Tue, 1 Jun 2021 04:45:55 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D6F0CE0831; Tue, 1 Jun 2021 04:45:48 +0000 (UTC) Received: from gw1.antarean.org (gw1.antarean.org [194.145.200.214]) by pigeon.gentoo.org (Postfix) with ESMTP id A058AE0817 for ; Tue, 1 Jun 2021 04:45:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by gw1.antarean.org (Postfix) with ESMTP id 4FvK6t0rDWz111K for ; Tue, 1 Jun 2021 06:33:58 +0200 (CEST) X-Virus-Scanned: amavisd-new at antarean.org Received: from gw1.antarean.org ([127.0.0.1]) by localhost (gw1.antarean.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YPmRq8xUHHpt for ; Tue, 1 Jun 2021 06:33:57 +0200 (CEST) Received: from mailstore1.adm.antarean.org (localhost [127.0.0.1]) by gw1.antarean.org (Postfix) with ESMTP id 4FvK6s5vXwz10QT for ; Tue, 1 Jun 2021 06:33:57 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mailstore1.adm.antarean.org (Postfix) with ESMTP id 4FvKNT3QF8z15 for ; Tue, 1 Jun 2021 06:45:45 +0200 (CEST) X-Virus-Scanned: amavisd-new at antarean.org Received: from mailstore1.adm.antarean.org ([127.0.0.1]) by localhost (mailstore1.adm.antarean.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W5cgYaGylgiC for ; Tue, 1 Jun 2021 06:45:45 +0200 (CEST) Received: from iris.localnet (iris.adm.antarean.org [10.55.16.47]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mailstore1.adm.antarean.org (Postfix) with ESMTPSA id 4FvKNT1vYKzj for ; Tue, 1 Jun 2021 06:45:45 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=antarean.org; s=default; t=1622522745; bh=nx6Vn6/RCU+XRNcAhV6uO6pm4AWtohIyIIMoYBwHoX8=; h=From:To:Subject:Date:In-Reply-To:References; b=KHOPCsznCuaNGDsaVf/HRzl2VGjFQCow9QFJlZNfEo0PKB5vmnlbOT3Kl+/LEBx0v 9s6Wangf1amSYJ9S5U7PPadFKeYWm9Cat/v7hTtOHK9Ezsdt5To8qsc0Enuy5z03v1 uJyAUkq/0UOvPJ3jsr/z2vTKsROcSV2DwsweYd4U= From: "J. Roeleveld" To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] app-misc/ca-certificates Date: Tue, 01 Jun 2021 06:45:45 +0200 Message-ID: <5480288.DvuYhMxLoT@iris> In-Reply-To: References: <20210529030839.123d8526@melika.host77.tld> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Archives-Salt: 426842d1-6473-4e68-aa85-88af848d0b13 X-Archives-Hash: 802ed5ad68c66a49d1020ddd3acd99c7 On Saturday, May 29, 2021 8:26:57 AM CEST Walter Dnes wrote: > On Sat, May 29, 2021 at 03:08:39AM +0200, zcampe@gmail.com wrote > > > 125 config files in /etc/ssl/certs needs update. > > > > For certificates I would expect the old and invalid ones to be replaced > > by newer ones without user intervention. > > Looking through them is "interesting". There seem to be a lot of > /etc/ssl/certs/????????.0 files, where "?" is either a random number or > a lower case letter. These all seem to be symlinks to > /etc/ssl/certs/.pem. Each of those files is in turn a > symlink to /usr/share/ca-certificates/mozilla/.crt. How much > do we trust China? There are a couple of certificates in there named > /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt and > /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt. Any > other suspicious regimes in there? I've always wondered about the amount of CAs that are auto-trusted on any system. Including several from countries with serious human rights issues. I could do with a tool where I can easily select which CAs to trust based on country. -- Joost