On Saturday, May 29, 2021 8:26:57 AM CEST Walter Dnes wrote: > On Sat, May 29, 2021 at 03:08:39AM +0200, zca...@gmail.com wrote > > > 125 config files in /etc/ssl/certs needs update. > > > > For certificates I would expect the old and invalid ones to be replaced > > by newer ones without user intervention. > > Looking through them is "interesting". There seem to be a lot of > /etc/ssl/certs/????????.0 files, where "?" is either a random number or > a lower case letter. These all seem to be symlinks to > /etc/ssl/certs/<Some_Name>.pem. Each of those files is in turn a > symlink to /usr/share/ca-certificates/mozilla/<Some_Name>.crt. How much > do we trust China? There are a couple of certificates in there named > /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt and > /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt. Any > other suspicious regimes in there?
I've always wondered about the amount of CAs that are auto-trusted on any system. Including several from countries with serious human rights issues. I could do with a tool where I can easily select which CAs to trust based on country. -- Joost
