mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 10:35:53 +02:00
8d1f604b4a
On November 30, 2022, Mozilla decided to take the following actions as a response to the concerns raised about the merits of this root CA operator (excerpt taken from https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ): > 1. Set "Distrust for TLS After Date" and "Distrust for S/MIME > After Date" to November 30, 2022, for the 3 TrustCor root > certificates (TrustCor RootCert CA-1, TrustCor ECA-1, > TrustCor RootCert CA-2) that are currently included in > Mozilla's root store. > > 2. Remove those root certificates from Mozilla's root store > after the existing end-entity TLS certificates have expired. As far as the latter is concerned, the offending certificates have these expiry dates set: - TrustCor RootCert CA-1: Mon, 31 Dec 2029 17:23:16 GMT - TrustCor RootCert CA-2: Sun, 31 Dec 2034 17:26:39 GMT - TrustCor ECA-1: Mon, 31 Dec 2029 17:28:07 GMT The way IPFire 2 currently processes Mozilla's trust store does not feature a way of incorporate a "Distrust for XYZ After Date" attribute. This means that despite TrustCor Systems root CAs are no longer trusted by browsers using Mozilla's trust store, IPFire would still accept certificates directly or indirectly issued by this CA until December 2029 or December 2034. To protect IPFire users, this patch therefore suggests to patch our copy of Mozilla's trust store in order to remove TrustCor Systems' root CAs: The vast majority of HTTPS connections established from an IPFire machine take place in a non-interactive context, so there is no security benefit from a "Distrust After Date" information. Instead, if we do not want IPFire installations to trust this CA, we have no other option other than remove it unilaterally from our copy of Mozilla's trust store. See also: https://lists.ipfire.org/pipermail/development/2022-November/014681.html Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
IPFire 2.x - The Open Source Firewall
What is IPFire?
IPFire is a hardened, versatile, state-of-the-art Open Source firewall based on Linux. Its ease of use, high performance in any scenario and extensibility make it usable for everyone. For a full list of features have a look here.
This repository contains the source code of IPFire 2.x which is used to build the whole distribution from scratch, since IPFire is not based on any other distribution.
Where can I get IPFire?
Just head over to https://www.ipfire.org/download
How do I use this software?
We have a long and detailed wiki located here which should answers most of your questions.
But I have some questions left. Where can I get support?
You can ask your question at our community located here. A complete list of our support channels can be found here.
How can I contribute?
We have another document for this. Please look here.