Mail Archives: cygwin/2017/07/17/07:35:38

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2017/07/17/07:35:38

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:in-reply-to:references:from:date

:message-id:subject:to:content-type:content-transfer-encoding;

q=dns; s=default; b=mQLUCRkKQwvzce81UC1jajF0p2BceHjRIgyzpdu9kJE

23Tg7zOMM/1OyY2UaUVndmj/c08W1AA6xq9yoN7ZOO2slR1z/qHzGC7q/CAZZ7SL

vgqGX1/xOcuE0Jy73h6aPI4LT7Kfa8dm+yEuhts9/UXtn+n/8fa5xijc0QYsv3Q4

=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:in-reply-to:references:from:date

:message-id:subject:to:content-type:content-transfer-encoding;

s=default; bh=KLdIS6YmlAZJvPwnhKG1WrZQxHo=; b=puXkNFbFvIKZUDYg3

m3AP6x0hdYNNcDDucgaaglzHDq7wT+NduHLetRSbCs3L8o5KHvkaIWKPYEIzQTJX

XG9JpXZhLlKA7fyHRBFjkyMPo3bD8oTY120iLLPwH9f6wCoNDPGc1OUkcXzTysVl

DUMIwxNcdy2I3l5nJSXYow6ey0=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=1.3 required=5.0 tests=AWL,BAYES_50,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=no version=3.3.2 spammy=Trust, Classic, catrust, ca-trust

X-HELO: mail-io0-f170.google.com

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-transfer-encoding; bh=r5KHWi1CKubvvfNxahDH7yxlwvxEe7nlwylaThArsnU=; b=cBZmWrdZygzTpOcUxKenZ4V6TufBX8/xT0kEtndnirYSsW/3UKek8uID6lXEG4rvgy Ukkvk5fP8A5gX2QYb+OYjGAbfFzBNZYwJJR3oHSJXNhYuBw+MdckvR40s5WM+O7YsSLV KvbmmRV5IlasGM4rw6E8I5pCaYCJHAaYV+P6CgzjXZEC7nTvi56CbvS/kJJmASvNsLEM lXRE6Xji09H/7nhercWLSiW8sL9LD/c188BBFoWS/ruUGcuWQycCTygFmh8Vv++bdtGr mpMR+SIGCHYO+DSO7B3tP3NiiX5kE0DvvTrmEcA9E92d0UUwJ3tzOuP2QmnzDaBjlkdT Gb5g==

X-Gm-Message-State: AIVw112fbvIQRO4yvUTfNCjmk+wlIoxg3Ddhk1DZUVaoudmWfCRTv6Jp D1Ct0I5zDzPO7aqFodaL1rkkXOBpvA==

X-Received: by 10.107.12.28 with SMTP id w28mr21056208ioi.150.1500291318549; Mon, 17 Jul 2017 04:35:18 -0700 (PDT)

MIME-Version: 1.0

In-Reply-To: <okgfdb$n59$1@blaine.gmane.org>

References: <CAD8GWsvT9rgHz+vcdBmX-opfckZS8g06_Px57JCNG_xCT_ku6A AT mail DOT gmail DOT com> <okef84$e7f$1 AT blaine DOT gmane DOT org> <CAD8GWsuvpZqOmajdyBBSNza20un_BZuJOdRH15XhKFqzx4H3OA AT mail DOT gmail DOT com> <okesn6$agb$1 AT blaine DOT gmane DOT org> <CAD8GWsuMuda5O2X-1N_q8TpZ_wZQBhEEJpfdA1eQO+x1iDLH5A AT mail DOT gmail DOT com> <okgfdb$n59$1 AT blaine DOT gmane DOT org>

From: Lee <ler762 AT gmail DOT com>

Date: Mon, 17 Jul 2017 07:35:17 -0400

Message-ID: <CAD8GWssNeQxTrLim_kO+2nhSzRXR6Kq9h12Sjw2Pg5bVJ0BkTw@mail.gmail.com>

Subject: Re: gpg ca-cert-file=[which file???]

To: cygwin AT cygwin DOT com

X-IsSubscribed: yes

X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id v6HBZbnN026757

On 7/16/17, RenÃ© Berber wrote:
> On 7/16/2017 11:38 AM, Lee wrote:
>
> [snip]
>>   ok... man update-ca-trust
>>   FILES
>>      /etc/pki/tls/certs/ca-bundle.trust.crt
>>         Classic filename, file contains a list of CA certificates in
>> the extended BEGIN/END TRUSTED CERTIFICATE file format,
>>         which includes trust (and/or distrust) flags specific to
>> certificate usage. This file is a symbolic link that refers
>>         to the consolidated output created by the update-ca-trust
>> command.
> [snip]
>> It looks like there's some certs in
>> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt that I don't
>> want to trust.. but how to tell which ones & how to set
>> distrust/blacklist trust flags on them?  or maybe I need to copy them
>> to /etc/pki/ca-trust/source/blacklist/ ???
>>
>> Anyone have any pointers on how to distrust certs in
>> ca-bundle.trust.crt (assuming that _is_ the file I should be using) or
>> even how to show exactly what's in there?
>> $ grep "#" ca-bundle.trust.crt
>>  shows lots of comments but
>> $ openssl x509  -in ca-bundle.trust.crt -noout -subject -dates
>>  just shows me the first cert :(
>
> You should refer to the package announcement, and direct any questions
> about the package (not about its use) to its maintainer.

I came across this when looking for the ca-certificates package announcement:
  https://cygwin.com/ml/cygwin/2013-05/msg00385.html
it's from 2013:
    It has been brought to my attention that gnutls does not seem to be
    configured to use ca-certificates by default. This can be enabled by
    adding --with-default-trust-store-file=/usr/ssl/certs/ca-bundle.crt to
    configure flags

I'm still not clear about which trust store I should be using -
ca-bundle.crt or ca-bundle.trust.crt

> As I understand the package is just a bundle of the files distributed by
> Mozilla (which is the maintainer of the root certs).  For questions
> about those files, its contents, or its use... refer to Mozilla.

As far as I can tell, Mozilla thinks using their trust store for
anything other than firefox is out of scope - eg:
  https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/NHW4JA6xoAY
    mozilla.dev.security.policy â€º
    Configuring Graduated Trust for Non-Browser Consumption


> Actually Mozilla distributes one file, which is then processed to create
> all the files that you see.
>
> The link you show to Mozilla about the trust on CNNIC also points out
> that the exception is made in code (i.e. hard-coded), and if you look
> above it clearly states: "The status of whether a root is approved to
> issue EV certificates or not is stored in PSM rather than certdata.txt",
> this certdata.txt is precisely the file I'm talking about above, so
> don't expect any of those Extended Validation changes to be present (and
> you can ask Mozilla why they do it in code, instead of in the certs).

I don't care about EV right now.  I don't want to trust any
certificate issued by CNNIC & a few other CAs.  How do I do that?

Thanks
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:content-type:content-transfer-encoding;
	q=dns; s=default; b=mQLUCRkKQwvzce81UC1jajF0p2BceHjRIgyzpdu9kJE
	23Tg7zOMM/1OyY2UaUVndmj/c08W1AA6xq9yoN7ZOO2slR1z/qHzGC7q/CAZZ7SL
	vgqGX1/xOcuE0Jy73h6aPI4LT7Kfa8dm+yEuhts9/UXtn+n/8fa5xijc0QYsv3Q4
	=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:content-type:content-transfer-encoding;
	s=default; bh=KLdIS6YmlAZJvPwnhKG1WrZQxHo=; b=puXkNFbFvIKZUDYg3
	m3AP6x0hdYNNcDDucgaaglzHDq7wT+NduHLetRSbCs3L8o5KHvkaIWKPYEIzQTJX
	XG9JpXZhLlKA7fyHRBFjkyMPo3bD8oTY120iLLPwH9f6wCoNDPGc1OUkcXzTysVl
	DUMIwxNcdy2I3l5nJSXYow6ey0=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=1.3 required=5.0 tests=AWL,BAYES_50,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=no version=3.3.2 spammy=Trust, Classic, catrust, ca-trust
X-HELO:	mail-io0-f170.google.com
X-Google-DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-transfer-encoding; bh=r5KHWi1CKubvvfNxahDH7yxlwvxEe7nlwylaThArsnU=; b=cBZmWrdZygzTpOcUxKenZ4V6TufBX8/xT0kEtndnirYSsW/3UKek8uID6lXEG4rvgy Ukkvk5fP8A5gX2QYb+OYjGAbfFzBNZYwJJR3oHSJXNhYuBw+MdckvR40s5WM+O7YsSLV KvbmmRV5IlasGM4rw6E8I5pCaYCJHAaYV+P6CgzjXZEC7nTvi56CbvS/kJJmASvNsLEM lXRE6Xji09H/7nhercWLSiW8sL9LD/c188BBFoWS/ruUGcuWQycCTygFmh8Vv++bdtGr mpMR+SIGCHYO+DSO7B3tP3NiiX5kE0DvvTrmEcA9E92d0UUwJ3tzOuP2QmnzDaBjlkdT Gb5g==
X-Gm-Message-State:	AIVw112fbvIQRO4yvUTfNCjmk+wlIoxg3Ddhk1DZUVaoudmWfCRTv6Jp D1Ct0I5zDzPO7aqFodaL1rkkXOBpvA==
X-Received:	by 10.107.12.28 with SMTP id w28mr21056208ioi.150.1500291318549; Mon, 17 Jul 2017 04:35:18 -0700 (PDT)
MIME-Version:	1.0
In-Reply-To:	<okgfdb$n59$1@blaine.gmane.org>
References:	<CAD8GWsvT9rgHz+vcdBmX-opfckZS8g06_Px57JCNG_xCT_ku6A AT mail DOT gmail DOT com> <okef84$e7f$1 AT blaine DOT gmane DOT org> <CAD8GWsuvpZqOmajdyBBSNza20un_BZuJOdRH15XhKFqzx4H3OA AT mail DOT gmail DOT com> <okesn6$agb$1 AT blaine DOT gmane DOT org> <CAD8GWsuMuda5O2X-1N_q8TpZ_wZQBhEEJpfdA1eQO+x1iDLH5A AT mail DOT gmail DOT com> <okgfdb$n59$1 AT blaine DOT gmane DOT org>
From:	Lee <ler762 AT gmail DOT com>
Date:	Mon, 17 Jul 2017 07:35:17 -0400
Message-ID:	<CAD8GWssNeQxTrLim_kO+2nhSzRXR6Kq9h12Sjw2Pg5bVJ0BkTw@mail.gmail.com>
Subject:	Re: gpg ca-cert-file=[which file???]
To:	cygwin AT cygwin DOT com
X-IsSubscribed:	yes
X-MIME-Autoconverted:	from quoted-printable to 8bit by delorie.com id v6HBZbnN026757