mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 10:35:53 +02:00
8d1f604b4a
On November 30, 2022, Mozilla decided to take the following actions as a response to the concerns raised about the merits of this root CA operator (excerpt taken from https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ): > 1. Set "Distrust for TLS After Date" and "Distrust for S/MIME > After Date" to November 30, 2022, for the 3 TrustCor root > certificates (TrustCor RootCert CA-1, TrustCor ECA-1, > TrustCor RootCert CA-2) that are currently included in > Mozilla's root store. > > 2. Remove those root certificates from Mozilla's root store > after the existing end-entity TLS certificates have expired. As far as the latter is concerned, the offending certificates have these expiry dates set: - TrustCor RootCert CA-1: Mon, 31 Dec 2029 17:23:16 GMT - TrustCor RootCert CA-2: Sun, 31 Dec 2034 17:26:39 GMT - TrustCor ECA-1: Mon, 31 Dec 2029 17:28:07 GMT The way IPFire 2 currently processes Mozilla's trust store does not feature a way of incorporate a "Distrust for XYZ After Date" attribute. This means that despite TrustCor Systems root CAs are no longer trusted by browsers using Mozilla's trust store, IPFire would still accept certificates directly or indirectly issued by this CA until December 2029 or December 2034. To protect IPFire users, this patch therefore suggests to patch our copy of Mozilla's trust store in order to remove TrustCor Systems' root CAs: The vast majority of HTTPS connections established from an IPFire machine take place in a non-interactive context, so there is no security benefit from a "Distrust After Date" information. Instead, if we do not want IPFire installations to trust this CA, we have no other option other than remove it unilaterally from our copy of Mozilla's trust store. See also: https://lists.ipfire.org/pipermail/development/2022-November/014681.html Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
68 lines
2.9 KiB
Plaintext
68 lines
2.9 KiB
Plaintext
###############################################################################
|
|
# #
|
|
# IPFire.org - A linux based firewall #
|
|
# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
|
|
# #
|
|
# This program is free software: you can redistribute it and/or modify #
|
|
# it under the terms of the GNU General Public License as published by #
|
|
# the Free Software Foundation, either version 3 of the License, or #
|
|
# (at your option) any later version. #
|
|
# #
|
|
# This program is distributed in the hope that it will be useful, #
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
|
|
# GNU General Public License for more details. #
|
|
# #
|
|
# You should have received a copy of the GNU General Public License #
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
|
|
# #
|
|
###############################################################################
|
|
|
|
###############################################################################
|
|
# Definitions
|
|
###############################################################################
|
|
|
|
include Config
|
|
|
|
VER = 20221201
|
|
|
|
# From https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
|
|
|
|
THISAPP = ca-certificates
|
|
DIR_APP = $(DIR_SRC)/$(THISAPP)
|
|
TARGET = $(DIR_INFO)/$(THISAPP)
|
|
|
|
###############################################################################
|
|
# Top-level Rules
|
|
###############################################################################
|
|
|
|
install : $(TARGET)
|
|
|
|
check :
|
|
|
|
download :
|
|
|
|
b2 :
|
|
|
|
###############################################################################
|
|
# Installation Details
|
|
###############################################################################
|
|
|
|
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
|
|
@$(PREBUILD)
|
|
@rm -rf $(DIR_APP) && cp -av $(DIR_CONF)/$(THISAPP) $(DIR_APP)
|
|
|
|
# Remove TrustCor Systems root CAs (see mailing list thread:
|
|
# https://lists.ipfire.org/pipermail/development/2022-November/014681.html)
|
|
cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/ca-certificates-Remove-TrustCor-Systems-root-CAs.patch
|
|
|
|
cd $(DIR_APP) && sh ./build.sh
|
|
|
|
-mkdir -pv /etc/ssl/certs
|
|
cd $(DIR_APP) && install -p -m 644 ca-bundle.crt ca-bundle.trust.crt \
|
|
/etc/ssl/certs
|
|
ln -svf certs/ca-bundle.crt /etc/ssl/cert.pem
|
|
|
|
@rm -rf $(DIR_APP)
|
|
@$(POSTBUILD)
|