Content of /usr/share/ssl/ca-bundle.crt

Radoslaw Zielinski radek42 at gmail.com
Mon Mar 20 10:53:12 CET 2006 

  Introduction

/usr/share/ssl/ca-bundle.crt is used by OpenSSL as a database of root
certificates.  If the certificate for current OpenSSL-served session
is not signed by one of the certificates found there, application should
display a big fat warning.


  Security

Users who ignore the big fat warning mentioned above, are apt for a man
in the middle attack. [1]  Using SSL without checking certificates is
mostly pointless and gives false sense of safety.


  Actual condition

Our ca-bundle.crt contains only Unizeto certificates.  Pointless, should
either be empty or contain more.


  Problem

We are, of course, due to state that our users should care about who
they trust on their own.  Being a perfectly consistent policy (and an
easy to maintain one ;-), it's not very user friendly.  IMO, user-
-unfriendly security issues usually get ignored.


  Proposed solution

Use certificates from Mozilla.


  Possible implementations

Use ca-bundle.pl script from apache1-mod_ssl (only in sources, we don't
distribute it) to fetch certificates from Mozilla CVS and create
ca-bundle.crt.  Then:

a) Just install it in /usr/share/ssl/, marking as %config(noreplace).
b) Create a directory in /etc [2], symlink /usr/share/ssl to it.
c) Whatever.

For now (and for Ac), I'd chose a).


  Alternate solution

Create a (init?) script to use the contents of /usr/share/certs and
maybe some other directory (for user's own certificates).


  Unizeto

According to [3], there were concerns about distributing their
certificates.  I'd leave it as is and add them to ca-bundle.pl's
output.


[1] I know a small ISP who did (maybe still does) that to force own
    transparent SMTP relay.  ISP's CA certificate was (is) installed
    in user's system by a technician during network installation.
    Clients never complained...
[2] http://blogs.gurulabs.com/dax/archives/2005/05/warning_changes.html
[3] http://7thguard.net/news.php?id=1637

-- 
Radosław Zieliński <radek42 at gmail.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : /mailman/pipermail/pld-devel-en/attachments/20060320/765122cc/attachment.sig

More information about the pld-devel-en mailing list