Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
'Untrusted but not blacklisted' certificates
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Telemin
l33t
l33t


Joined: 25 Aug 2005
Posts: 734
Location: Glasgow, UK

PostPosted: Thu Mar 20, 2014 11:58 am    Post subject: 'Untrusted but not blacklisted' certificates Reply with quote

Hello All,

I just updated app-misc/ca-certificates to the latest 20140223.3.15.5 version. I noticed in the package output a string of warnings:

Code:

Ignoring certificate "UTN-USER First-Network Applications".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_MUST_VERIFY_TRUST
Ignoring certificate "UTN USERFirst Object Root CA".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_MUST_VERIFY_TRUST
Certificate "MD5 Collisions Forged Rogue CA 25c3" blacklisted, ignoring.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Distrusted AC DG Tresor SSL"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ignoring certificate "TC TrustCenter Universal CA III".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_MUST_VERIFY_TRUST
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Mozilla Addons"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Global Trustee"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus GMail"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Google"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Skype"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Yahoo 1"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Yahoo 2"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Yahoo 3"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus live.com"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus kuix.de"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Root CA"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Services 1024 CA"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Cyber CA"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Cyber CA 2nd"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrusted DigiNotar PKIoverheid"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrusted DigiNotar PKIoverheid G2"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


And so on...

Can someone who understands the way certificates are handled in gentoo explain to me what is going on here? Is this a problem with my system? Expected behaviour for this package?

I understand the concepts of public key cryptography well enough, but not the way gentoo handles it. Is this telling me that I have bogus ca-certs installed?

-Telemin-
_________________
The Geek formerly known as -Freestyling-
When you feel your problem has been solved please add [Solved] to the topic title.
Please adopt an unanswered post
Back to top
View user's profile Send private message
mvaterlaus
Apprentice
Apprentice


Joined: 01 Oct 2010
Posts: 202
Location: Switzerland

PostPosted: Thu Mar 20, 2014 4:09 pm    Post subject: Reply with quote

hi,
have you read the emerge post message of that ebuild? it states an command, which removes old symlinks like following
Code:

find -L /etc/ssl/certs/ -type l -exec rm {} +


also, update the ca-certificates with the following command
Code:

update-ca-certificates

_________________
For calming down your eyes or clearing your mind: www.patrickwehli.ch
Back to top
View user's profile Send private message
Telemin
l33t
l33t


Joined: 25 Aug 2005
Posts: 734
Location: Glasgow, UK

PostPosted: Thu Mar 20, 2014 4:29 pm    Post subject: Reply with quote

Hi mvaterlaus,

I do not have any old/hanging symlinks, and am aware of the update-ca-certificates command. However I don't believe either of those things are relevant to the behaviour of the package at compile time. I want to know from someone who understands the package, likely a member of the gentoo security team, why the warnings are generated and why those keys are even there if they are untrusted.

-Telemin-
_________________
The Geek formerly known as -Freestyling-
When you feel your problem has been solved please add [Solved] to the topic title.
Please adopt an unanswered post
Back to top
View user's profile Send private message
pentium4borg
n00b
n00b


Joined: 29 Aug 2006
Posts: 47

PostPosted: Mon Mar 30, 2015 8:48 pm    Post subject: Reply with quote

I'm seeing the same sorts of messages with =app-misc/ca-certificates-20140927.3.17.2. I have run update-ca-certificates, removed any broken symlinks (find -L /etc/ssl/certs/ -type l -exec rm {} +), and reinstalled ca-certificates, but the messages were present on reinstallation.

These messages are very worrying. Can anyone shed some light as to what is happening?

Thanks.
Back to top
View user's profile Send private message
jagdpanther
Guru
Guru


Joined: 22 Nov 2003
Posts: 498

PostPosted: Sun Feb 14, 2016 3:36 pm    Post subject: Reply with quote

I also am seeing these types of messages with my update to ca-certificates-20151214.3.21. Any ideas?
Back to top
View user's profile Send private message
gordonb3
Apprentice
Apprentice


Joined: 01 Jul 2015
Posts: 185

PostPosted: Mon Feb 15, 2016 10:58 am    Post subject: Reply with quote

This is normal behaviour for this package. ca-certificates is derived from the nss sources which apparently is meant to do something with certificates that have for some reason become untrusted at some time, e.g. because they expired. This info is included in the certdata file and the package provided parser that creates the individual .crt files spits out this message when it hits the not trusted flag. It's ugly and I guess the Gentoo devs could provide a patch for the parser to silence that warning, but for some reason they don't. In any case, there is no need to worry.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum