X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type:content-transfer-encoding; q=dns; s=default; b=mQLUCRkKQwvzce81UC1jajF0p2BceHjRIgyzpdu9kJE 23Tg7zOMM/1OyY2UaUVndmj/c08W1AA6xq9yoN7ZOO2slR1z/qHzGC7q/CAZZ7SL vgqGX1/xOcuE0Jy73h6aPI4LT7Kfa8dm+yEuhts9/UXtn+n/8fa5xijc0QYsv3Q4 = DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type:content-transfer-encoding; s=default; bh=KLdIS6YmlAZJvPwnhKG1WrZQxHo=; b=puXkNFbFvIKZUDYg3 m3AP6x0hdYNNcDDucgaaglzHDq7wT+NduHLetRSbCs3L8o5KHvkaIWKPYEIzQTJX XG9JpXZhLlKA7fyHRBFjkyMPo3bD8oTY120iLLPwH9f6wCoNDPGc1OUkcXzTysVl DUMIwxNcdy2I3l5nJSXYow6ey0= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=1.3 required=5.0 tests=AWL,BAYES_50,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=no version=3.3.2 spammy=Trust, Classic, catrust, ca-trust X-HELO: mail-io0-f170.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-transfer-encoding; bh=r5KHWi1CKubvvfNxahDH7yxlwvxEe7nlwylaThArsnU=; b=cBZmWrdZygzTpOcUxKenZ4V6TufBX8/xT0kEtndnirYSsW/3UKek8uID6lXEG4rvgy Ukkvk5fP8A5gX2QYb+OYjGAbfFzBNZYwJJR3oHSJXNhYuBw+MdckvR40s5WM+O7YsSLV KvbmmRV5IlasGM4rw6E8I5pCaYCJHAaYV+P6CgzjXZEC7nTvi56CbvS/kJJmASvNsLEM lXRE6Xji09H/7nhercWLSiW8sL9LD/c188BBFoWS/ruUGcuWQycCTygFmh8Vv++bdtGr mpMR+SIGCHYO+DSO7B3tP3NiiX5kE0DvvTrmEcA9E92d0UUwJ3tzOuP2QmnzDaBjlkdT Gb5g== X-Gm-Message-State: AIVw112fbvIQRO4yvUTfNCjmk+wlIoxg3Ddhk1DZUVaoudmWfCRTv6Jp D1Ct0I5zDzPO7aqFodaL1rkkXOBpvA== X-Received: by 10.107.12.28 with SMTP id w28mr21056208ioi.150.1500291318549; Mon, 17 Jul 2017 04:35:18 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: From: Lee Date: Mon, 17 Jul 2017 07:35:17 -0400 Message-ID: Subject: Re: gpg ca-cert-file=[which file???] To: cygwin AT cygwin DOT com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id v6HBZbnN026757 On 7/16/17, René Berber wrote: > On 7/16/2017 11:38 AM, Lee wrote: > > [snip] >> ok... man update-ca-trust >> FILES >> /etc/pki/tls/certs/ca-bundle.trust.crt >> Classic filename, file contains a list of CA certificates in >> the extended BEGIN/END TRUSTED CERTIFICATE file format, >> which includes trust (and/or distrust) flags specific to >> certificate usage. This file is a symbolic link that refers >> to the consolidated output created by the update-ca-trust >> command. > [snip] >> It looks like there's some certs in >> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt that I don't >> want to trust.. but how to tell which ones & how to set >> distrust/blacklist trust flags on them? or maybe I need to copy them >> to /etc/pki/ca-trust/source/blacklist/ ??? >> >> Anyone have any pointers on how to distrust certs in >> ca-bundle.trust.crt (assuming that _is_ the file I should be using) or >> even how to show exactly what's in there? >> $ grep "#" ca-bundle.trust.crt >> shows lots of comments but >> $ openssl x509 -in ca-bundle.trust.crt -noout -subject -dates >> just shows me the first cert :( > > You should refer to the package announcement, and direct any questions > about the package (not about its use) to its maintainer. I came across this when looking for the ca-certificates package announcement: https://cygwin.com/ml/cygwin/2013-05/msg00385.html it's from 2013: It has been brought to my attention that gnutls does not seem to be configured to use ca-certificates by default. This can be enabled by adding --with-default-trust-store-file=/usr/ssl/certs/ca-bundle.crt to configure flags I'm still not clear about which trust store I should be using - ca-bundle.crt or ca-bundle.trust.crt > As I understand the package is just a bundle of the files distributed by > Mozilla (which is the maintainer of the root certs). For questions > about those files, its contents, or its use... refer to Mozilla. As far as I can tell, Mozilla thinks using their trust store for anything other than firefox is out of scope - eg: https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/NHW4JA6xoAY mozilla.dev.security.policy › Configuring Graduated Trust for Non-Browser Consumption > Actually Mozilla distributes one file, which is then processed to create > all the files that you see. > > The link you show to Mozilla about the trust on CNNIC also points out > that the exception is made in code (i.e. hard-coded), and if you look > above it clearly states: "The status of whether a root is approved to > issue EV certificates or not is stored in PSM rather than certdata.txt", > this certdata.txt is precisely the file I'm talking about above, so > don't expect any of those Extended Validation changes to be present (and > you can ask Mozilla why they do it in code, instead of in the certs). I don't care about EV right now. I don't want to trust any certificate issued by CNNIC & a few other CAs. How do I do that? Thanks Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple