[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nmh-workers] TLS certificate validation

From: Ralph Corderoy
Subject: Re: [Nmh-workers] TLS certificate validation
Date: Sat, 24 Sep 2016 17:14:54 +0100

Hi Ken,

> A brief survey suggests to me that common open-source systems do not
> ship a set of popular commercial root certificates.

I thought they all did.  On a couple of machines to hand.

    $ pacman -Qs certificate
    local/ca-certificates 20160507-1
        Common CA certificates (default providers)
    local/ca-certificates-cacert 20140824-3
        CAcert.org root certificates
    local/ca-certificates-mozilla 3.26-1
        Mozilla's set of trusted CA certificates
    local/ca-certificates-utils 20160507-1
        Common CA certificates (utilities)

    $ dpkg -s ca-certificates
    Package: ca-certificates
    Status: install ok installed
    Priority: optional
    Section: misc
    Installed-Size: 452
    Maintainer: Ubuntu Developers <address@hidden>
    Architecture: all
    Multi-Arch: foreign
    Version: 20141019ubuntu0.15.04.1
    Depends: openssl (>= 1.0.0), debconf (>= 0.5) | debconf-2.0
    Breaks: ca-certificates-java (<< 20121112+nmu1)
    Enhances: openssl
    Description: Common CA certificates
     This package includes PEM files of CA certificates to allow SSL-based
     applications to check for the authenticity of SSL connections.
     It includes, among others, certificate authorities used by the Debian
     infrastructure and those shipped with Mozilla's browsers.
     Please note that Debian can neither confirm nor deny whether the
     certificate authorities whose certificates are included in this package
     have in any way been audited for trustworthiness or RFC 3647 compliance.
     Full responsibility to assess them belongs to the local system
    Original-Maintainer: Michael Shuler <address@hidden>

I've lots under /etc/ssl/certs.  Something under
/usr/share/ca-certificates.  And things like wget(1) have a bunch of
--certificate-* options and talk of "the file name is based on a hash
value derived from the certificate" and "system-specified locations,
chosen at OpenSSL installation time".

Cheers, Ralph.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]