[CentOS] ca-certificates-2018.2.22-65.1.el6.noarch problematic
Walter.H at mathemainzel.info
Wed Jul 4 17:03:19 UTC 2018
On 04.07.2018 18:37, Alice Wonder wrote:
> On 07/04/2018 08:54 AM, Walter H. wrote:
>> the RPM
>> has a big problem ...
>> many certificates were removed - my proxy uses this as source and isn't
>> able to validate correct any more -
>> most sites show this:
>> /[No Error] (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
>> /Self-signed SSL Certificate in chain: /C=SE/O=AddTrust AB/OU=AddTrust
>> External TTP Network/CN=AddTrust External CA Root
>> Self-signed SSL Certificate in chain: /C=US/O=DigiCert
>> Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
>> and many other Root certificates are missing ...
> Not sure why they were removed but in the past, root certificates are
> removed due to problems with the certificate authorities that mean
> their signatures no longer mean the sites are who they say there.
> That's the problem with PKI. When you can't trust the root, you can't
> sign any certificate down the chain from the root.
> Unfortunately DANE is not yet supported by browsers.
DANE is not a solution, it is another problem ...
> But anyway, does the changelog indicate why the certs were removed?
where can I find the changelog?
> It may be a good thing - protecting you from potential MITM when you
> otherwise would have the assumption that the site is valid because it
> has a cert.
is not the cause of SSL everywhere, it is the answer of SSL everywhere ...
> I know digicert specifically has had problems before resulting in
> fraudulent certificates being issued.
this had been in the past ..., not relevant to present time ...
> Hopefully the industry can move to DANE and make blind trust a thing
> of the past.
before DANE, DNSSEC as a requirement has to be deployed ...
More information about the CentOS