From 2e7853293da7eb49c8aaa10aa4ba2d8ffa64acac Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 6 Dec 2022 15:59:43 +0100 Subject: [PATCH] cacert: Distrust TrustCor root certificates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mozilla set "Distrust After" for the three TrustCor Root CAs¹, so new certificates issued would not be trusted after 2022/11/30, while older enduser certificates would continue working until they expire. This is a fine-grained policy option available to consumers of the NSS library, such as Firefox or Thunderbird. For Linux systems we generally export the Mozilla trust store into our own CA bundle that ultimately lacks that metadata, because there is no standardized way to parse it in the first place. That means that as long as Mozilla keeps the certificate in their CA program, even with time-based "Distrust" configured, we would keep trusting it fully². That is completely unreasonable and that is why we reject these CAs here for all users of nixpkgs. The TrustCor CAs were primarily used to sign certificates for dynamic hosts for domains provided through no-ip.com, so we expect the fallout from this to be minimal. [1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ [2] https://utcc.utoronto.ca/~cks/space/blog/linux/CARootStoreTrustProblem --- pkgs/data/misc/cacert/default.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index a4739edea12f..521d7433b17d 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -17,7 +17,17 @@ }: let - blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist); + blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" (blacklist ++ [ + # Mozilla does not trust new certificates issued by these CAs after 2022/11/30¹ + # in their products, but unfortunately we don't have such a fine-grained + # solution for most system packages², so we decided to eject these. + # + # [1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ + # [2] https://utcc.utoronto.ca/~cks/space/blog/linux/CARootStoreTrustProblem + "TrustCor ECA-1" + "TrustCor RootCert CA-1" + "TrustCor RootCert CA-2" + ])); extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings); srcVersion = "3.83";