LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Warnings about untrusted certificates while compiling ca-certificates (https://www.linuxquestions.org/questions/linux-security-4/warnings-about-untrusted-certificates-while-compiling-ca-certificates-4175453151/)

Lennie 03-07-2013 12:48 PM
Warnings about untrusted certificates while compiling ca-certificates
 
I just compiled ca-certificates on LFS, using a PKGBUILD from Arch (sources: ca-certificates-20130119). The output from make made me a bit worried.

Code:
make[1]: Entering directory `/home/packages/pkgbuilds/ca-certificates/src/ca-certificates-20130119/mozilla'
python certdata2pem.py
Ignoring certificate "UTN-USER First-Network Applications".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_MUST_VERIFY_TRUST
Ignoring certificate "UTN USERFirst Object Root CA".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_MUST_VERIFY_TRUST
Certificate "MD5 Collisions Forged Rogue CA 25c3" blacklisted, ignoring.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Mozilla Addons"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Global Trustee"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus GMail"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Google"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Skype"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Yahoo 1"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Yahoo 2"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Yahoo 3"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus live.com"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus kuix.de"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Root CA"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Services 1024 CA"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Cyber CA"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Cyber CA 2nd"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrusted DigiNotar PKIoverheid"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrusted DigiNotar PKIoverheid G2"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrusted Malaysian Digicert Sdn. Bhd. (cyb)"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrusted Malaysian Digicert Sdn. Bhd. (en)"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "MITM subCA 1 issued by Trustwave"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "MITM subCA 2 issued by Trustwave"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "TURKTRUST Mis-issued Intermediate CA 1"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "TURKTRUST Mis-issued Intermediate CA 2"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
make[1]: Leaving directory `/home/packages/pkgbuilds/ca-certificates/src/ca-certificates-20130119/mozilla'
make[1]: Entering directory `/home/packages/pkgbuilds/ca-certificates/src/ca-certificates-20130119/cacert.org'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory `/home/packages/pkgbuilds/ca-certificates/src/ca-certificates-20130119/cacert.org'
make[1]: Entering directory `/home/packages/pkgbuilds/ca-certificates/src/ca-certificates-20130119/debconf.org'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory `/home/packages/pkgbuilds/ca-certificates/src/ca-certificates-20130119/debconf.org'
make[1]: Entering directory `/home/packages/pkgbuilds/ca-certificates/src/ca-certificates-20130119/spi-inc.org'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory `/home/packages/pkgbuilds/ca-certificates/src/ca-certificates-20130119/spi-inc.org'
What should I do about those untrusted certificates?

sundialsvcs 03-11-2013 11:31 AM
It appears to me just from looking at the output that these certificates are intended to be bogus. That they are intended as a test of bogosity-detection.

It's time to go to a reliable source: the documentation for what you're doing.

Lennie 03-11-2013 12:27 PM
I don't understand... Should I remove them and install from somewhere else? The source are from Debian, shouldn't it be trustworthy? I don't understand how to make a package from the instructions in blfs, and I don't like to install things without the package manager. But if keeping this is risky, then maybe I should do an exception and just install this package from blfs even without packagemanager.

Can someone please confirm, should I remove this package and install from another source? I thought it was maybe like when Firefox warn about an untrusted site, and give me the choice to go there anyway or to cancel...

Lennie 03-13-2013 02:34 PM
I installed the version from blfs instead, and one of those scripts searched for untrusted certificates and removed them.

unSpawn 03-14-2013 02:31 AM
Thanks for posting your solution!


All times are GMT -5. The time now is 10:59 AM.