alioth/nixpkgs
3
0
Fork 0
forked from mirrors/nixpkgs
Code Releases Activity

cacert: Distrust TrustCor root certificates

Browse source 
Mozilla set "Distrust After" for the three TrustCor Root CAs¹, so new
certificates issued would not be trusted after 2022/11/30, while older
enduser certificates would continue working until they expire. This is a
fine-grained policy option available to consumers of the NSS library,
such as Firefox or Thunderbird.

For Linux systems we generally export the Mozilla trust store into our
own CA bundle that ultimately lacks that metadata, because there is no
standardized way to parse it in the first place.

That means that as long as Mozilla keeps the certificate in their CA
program, even with time-based "Distrust" configured, we would keep
trusting it fully². That is completely unreasonable and that is why we
reject these CAs here for all users of nixpkgs.

The TrustCor CAs were primarily used to sign certificates for dynamic
hosts for domains provided through no-ip.com, so we expect the fallout
from this to be minimal.

[1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ
[2] https://utcc.utoronto.ca/~cks/space/blog/linux/CARootStoreTrustProblem
This commit is contained in:
Martin Weinelt 2022-12-06 15:59:43 +01:00
parent 60f52f6c83
commit 2e7853293d
No known key found for this signature in database
GPG key ID: 87C1E9888F856759
1 changed files with 11 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
pkgs/data/misc/cacert/default.nix
View file

@ -17,7 +17,17 @@
}:
let
blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist);
blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" (blacklist ++ [
# Mozilla does not trust new certificates issued by these CAs after 2022/11/30¹
# in their products, but unfortunately we don't have such a fine-grained
# solution for most system packages², so we decided to eject these.
#
# [1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ
# [2] https://utcc.utoronto.ca/~cks/space/blog/linux/CARootStoreTrustProblem
"TrustCor ECA-1"
"TrustCor RootCert CA-1"
"TrustCor RootCert CA-2"
]));
extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings);
srcVersion = "3.83";