Re: [tlug] firefox SSL certs

[Philipp Wollermann <me@example.com>]

Hi,

On Sep 12, 2011, at 11:33, Stephen J. Turnbull wrote:

>> My third question is what would happen if I delete these new
>> symlinks?
> 
> I don't think anything will care if you delete the symlinks; both the
> meaningless names and the .0 extension seem to indicate that they're
> $TMP detritus of some sort.

No, that's wrong. If you delete the symlinks, OpenSSL and all software using this library for SSL won't be able to use the certificate for validation anymore, because OpenSSL doesn't care for the *.pem filenames but expects correctly named symlinks after a certain hashing scheme (these are the 12345.0 links you're seeing). You can actually regenerate these symlinks via the "c_rehash" script supplied by the openssl package.

>> What would happen if I deleted the *.pem files they point to? Would
>> it just mean an extra behind-the-scenes certificate download next
>> time I visit a site that needs it? (In other words is
>> /etc/ssl/certs just a cache directory?) Or would valid sites start
>> complaining when I browse them?
> 
> AFAIK those certs are all root authorities.  Those will not be
> downloaded just because you browse a page, because those are the
> ultimate control over who you trust without following the chain
> yourself, and who you don't.  Of course what this means is that
> ultimately you trust Mozilla ....

Mozilla, Debian and all others recently pushed an urgent security update which removes the root certificate of the DigiNotar CA from the trust store (aka /etc/ssl/certs).

See this security advisory: http://www.debian.org/security/2011/dsa-2299

By the way, all SSL certificates in /etc/ssl/certs are supplied via this package:
http://packages.debian.org/squeeze/ca-certificates
(an equivalent package also exists in Ubuntu)

Philipp